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ABSTRACT 

This  thesis  proposes  operational  specifications  for  a  Structure 
Memory  (SM) .  A  specialized  hardware  component  of  a  general-purpose 
computing  system,  the  SM  would  directly  execute  operations  on  dynamically- 
structured  data  stored  in  it.  The  computing  system  is  assumed  capable  of 
exploiting  program  concurrency  at  the  machine-instruction  levely  For 
explanatory  purposes,  the  proposed  structure  operations  are-presented  in 
the  context  of  the  data  flow  model- of  concurrent  computation. 

/ 

^  Concurrency  among  a  set  of  program  instructions  which  all  examine  or 
modify  the  same  structure  must  be  carefully  controlled,  if  the  program  is 
to  be  determinate.  The  first  of  two  major  contributions  of  the  thesis  is 
a  combination  hardware/software  discipline  which  affords  maximal  concur¬ 
rency  consistent  with  determinacy.  Its  key  feature  is  that  the  SM  will 
not  return  a  given  pointer  until  certain  previously-returned  pointers  to 
the  same  structure  are  no  longer  available  as  operands. 

The  second  major  contribution  is  the  entry-execution  model  of  con¬ 
current  computation.  Reversing  the  emphasis  of  most  previous  work,  this 
model  concentrates  on  the  operations  performed  by  instructions,  while 
abstracting  away  details  of  how  operands  are  passed  among  them  and  how 
their  execution  order  is  determined.  The  essence  of  structure  operators^  -rr- 
that  the  result  of  an  execution  of  one  may  depend  on  the  input  to  previous 
executions  of  that  and  other  operators/-4^  is  given  a  natural  expression  in 
the  new  model I  A  proof  of  sufficient  conditions  for  determinacy’ of  a 
program  containing  structure  operators? is  made  more  generally  applicable 
through  use  of  the  entry-execution  model  as  its  medium. 
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Chapter  1 
Introduction 

This  thesis  proposes  specifications  for  a  Structure  Memory  (SM). 

A  specialized  hardware  component  of  a  general-purpose  computing  system, 
the  SM  would  directly  execute  operations  on  data  structures  stored  in  it. 
The  software  overhead  incurred  in  molding  complex  structures  to  conform 
to  the  elementary  organization  of  a  conventional  random-access  memory 
would  thereby  be  greatly  reduced. 

Brief  consideration  of  possible  SM  implementations  suggests  a 
potential  for  executing  several  operations  concurrently  (during  the 
same  time  interval) .  Exploitation  of  this  ability  could  result  in 
enhanced  SM  performance.  Unfortunately,  concurrent  operations  on  data 
structures  can  cause  different  runs  of  a  program  on  the  same  input  to 
produce  different  outputs.  Therefore,  techniques  must  be  found  for 
controlling  any  potential  SM  concurrency  to  prevent  this  intolerable 
unpredictability.  The  first  of  two  major  results  of  the  thesis  is  a 
combination  hardware/software  discipline  making  it  easy  to  eliminate 
all  dangerous  concurrency  at  the  sacrifice  of  little  safe  and  productive 
concurrency . 

The  second,  possibly  more  significant  result  is  the  entry-execution 
model.  This  radically-dif ferent  model  of  concurrent  programming  reverses 
the  emphasis  of  existing  models,  concentrating  on  the  operations  performed 
by  instructions,  while  abstracting  away  details  of  how  operands  are  passed 
among  them  and  how  their  execution  order  is  determined.  The  generality  of 
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th  e  correctness  proof  for  the  new  concurrency-control  discipline 
testifies  to  this  model's  usefulness. 

Section  1.1  below  presents  the  argument  for  a  hardware  SM.  It 
shows  how  the  SM  may  be  able  to  support  concurrent  operations  and  how 
this  may  have  undesirable  consequences.  Section  1.2  presents  a 
chapter-by-chapter  overview  of  the  logical  progression  of  steps  taken 
in  ths  thesis.  Section  1.3  concludes  with  a  brief  survey  of  related  work. 

1.1  Motivation 

An  important  part  of  many  computer  programs  is  the  manipulation  of 
data  structures.  One  way  of  viewing  a  data  structure  is  a-  a  set  of 
ordered  pairs  (s,e),  in  which  s  is  a  selector  and  e  is  an  element  of  the 
structure.  A  selector  is  an  atomic  datum  (typically  either  an  integer  or 
a  character  string)  which  serves  to  distinguish  its  associated  element 
from  all  others  in  the  structure;  therefore,  no  two  ordered  pairs  in  one 
structure  may  contain  the  same  selector.  An  element  is  either  an  atomic 
datum  or  another  data  structure. 

Figure  1.1-1  portrays  the  simplest  type  of  data  structure,  a  one- 
dimensional  array,  in  a  graphical  representation.  All  elements  of  an 
array  are  atomic  data  of  the  same  type  (e.g.,  integer,  real,  character). 
The  selectors  form  a  consecutive  sequence  of  integers;  in  the  example, 
those  from  1  through  4.  Each  element  is  depicted  as  a  node  at  the  lower 
level  of  the  graph  in  the  Figure;  a  node  representing  an  atomic  element 
has  that  atom  written  inside  it.  The  single  node  at  the  upper  level  of 
the  graph  represents  the  structure  as  a  whole.  For  each  ordered  pair 
(s,e)  in  the  structure,  a  branch  labelled  with  s  is  drawn  from  the  node 


A  One-Dimensional  Array 
Figure  1.1-1 


A  More  General  Structure 


Figure  1.1-2 


representing  the  whole  structure  to  the  node  representing  the  element  e. 

* 

Figure  1.1-2  displays  a  more  complex  data  structure.  The  elements  of  this 
are  of  different  types:  an  integer,  a  real,  and  another  structure,  an 
array  of  three  elements.  Representing  every  structure  as  a  separate  node 
has  allowed  a  consistent  graphical  treatment  of  both  atoms  and  structures 
as  elements.  This  second  example  also  has  more  general  selectors, 
encompassing  character  strings  as  well  as  integers. 

The  most  primitive  operation  on  a  data  structure  is  to  determine  its 
elements.  This  operation,  called  Select,  takes  a  structure  and  a  selector, 
and  returns  the  element  paired  with  that  selector  in  the  structure.  With 
data  structures  defined  as  above,  however,  a  single,  general  Select  oper- 
atlon  may  pose  a  hazard:  The  element  returned  may  be  input  to  other 
Select  operations  if  it  is  a  structure,  but  not  if  it  is  an  atom; 
conversely,  it  may  be  input  to  data-processlng  operations  (such  as  arith¬ 
metic)  If  it  is  an  atom,  but  not  if  it  is  a  structure.  Of  the  several 
alternative  methods  of  eliminating  this  hazard,  the  one  chosen  is  to 
redefine  a  data  structure,  based  on  its  graphical  representation.  Atomic 
elements  and  structures  alike  are  depicted  as  nodes.  Each  node  has  either 
(1)  an  atom  associated  with  it,  or  (2)  labelled  branches  emanating  from  it. 
A  data  structure  is  correspondingly  redefined  to  be  a  set  containing  (1)  an 
atom,  (2)  some  selector-element  pairs,  where  an  element  now  is  always  a 
structure,  or  (3)  both.  A  structure  according  to  the  old  definition  is 
made  a  structure  according  to  the  new  definition  by  replacing  each  atom 
with  the  set  containing  that  atom. 

With  this  revised  concept  of  data  structure,  a  Select  operation  can 


take  any  structure  and  any  selector,  and  always  return  a  structure. 
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If  Che  Input  structure  has  no  ordered  pair  containing  the  input  selector 


an  exception  (similar  to  an  arithmetic  overflow)  occurs,  whether  or  not 
the  structure  contained  only  an  atom.  A  second  operation.  Fetch,  retrieves 
the  atom  in  a  structure;  applying  it  to  a  structure  which  has  no  atom 
results  in  an  exception.  Structure-altering  operations  include  Assign, 
which  replaces  the  atom  in  a  structure  (or  adds  one  if  there  was  none) . 

The  set  of  operations  Select,  Fetch,  and  Assign  is  sufficient  to 
handle  static  data  structures.  A  static  structure  is  one  whose  graph 
representation  can  never  change  shape;  only  the  atoms  inside  the  nodes 
can  be  altered.  Frequently,  however,  it  is  desirable  that  an  unpredictable 
amount  of  input  data  be  retained  in  a  structured  form.  This  requires  the 
ability  to  manage  dynamic  data  structures,  the  shape  of  whose  graphs  may 
be  altered  by  the  addition  and  deletion  of  nodes  and  branches.  A  prime 
example  of  this  is  the  symbol  table  in  a  programming-language  processor 
(compiler  or  interpreter) .  Each  element  e  of  a  symbol  table  is  a  structure 
describing  the  linguistic  attributes  of  one  symbol  T  in  the  program  being 
processed;  the  selector  paired  with  e  is  most  conveniently  the  symbol  T 
itself.  Neither  the  elements  nor  the  selectors  in  the  symbol  table  are 
known  when  the  language  processor  starts;  hence  the  need  for  operations 
to  create  new  structures  from  existing  structures  and  new  selectors. 

The  first  encounter  with  each  new  symbol  in  the  program  triggers  a 
sequence  of  steps  to  add  it  to  the  symbol  table.  Figure  1.1-3  pictures 
what  the  last  step  might  be.  Part  (a)  shows  schematically  the  existing 
symbol  table  and  the  smaller  structure  constructed  to  describe  the  new 
symbol.  The  final  step  is  the  creation,  in  a  single  operation,  of  the 
new  symbol  table  in  part  (b) .  (Whether  or  not  the  old  symbol  table 
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contlnues  to  exist  apart  from  the  new  one  is  a  key  issue  of  the  thesis. 

The  subtle  distinction  will  be  discussed  later  in  this  chapter.)  Also 
useful  are  an  operation  to  create  a  new  structure  by  removing  an  element 
from  an  existing  one  and  operations  to  enumerate  all  of  the  selectors  in 
a  structure. 

The  only  memory  technology  in  which  it  currently  is  feasible  to  store 
large  amounts  of  information  is  the  random-access  memory  (RAM) .  A  RAM  is 
organized  as  a  one-dimensional  (or  possibly  two-dimensional)  array,  a 
homogeneous  collection  of  storage  cells,  each  capable  of  retaining  one 
atom,  with  selectors  (addresses)  which  form  a  sequence  of  consecutive 
integers.  RAM  hardware  can  support  static  data  structures;  that  is,  it 
can  directly  execute  operations  analogous  to  Select,  Fetch,  and  Assign, 
with  the  same  speed  with  which  it  accesses  any  stored  atom.  Support  of 
dynamic  data  structures,  however,  necessitates  elaborate  software  systems 
which  are  expensive,  first  to  write  and  verify,  and  then  to  execute. 

Great  bodies  of  literature  have  grown  up  concerning  software 
approaches  to  the  two  major  aspects  of  implementing  dynamic  data 
structures: 

1.  Storage  allocation  -  deciding  which  set  of  physical  cells  shall 
store  each  newly-created  structure,  and  deciding  when  those  cells 
can  be  re-used  because  the  structure  they  store  can  no  longer  be  an 
operand  to  any  operation. 

2.  Searching  -  storing  the  set  of  selectors  in  a  structure  so  that  the 
Select  operation  can  be  performed  quickly  (e.g.,  in  a  hash  table). 

Even  with  the  most  well-written  software,  dynamic  data-structuring 
operations  are  several  times  slower  than  basic  RAM  accesses. 
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These  observations  inspire  consideration  of  the  possibilities  and 
potentialities  of  shifting  the  support  of  dynamic  data  structures  from 
software  to  a  hardware  Structure  Memory  (SM)  .  The  SM  would  serve  as  an 
adjunct  to  the  RAM  in  a  computing  system,  as  diagrammed  in  Figure  1.1-4. 
The  RAM  continues  to  store  programs,  non-structured  data,  and  static 
structures,  while  the  SM  directly  executes  operations  on  dynamic  struc¬ 
tures.  The  Control  Unit  (CU)  fetches  and  decodes  instructions  from  the 
RAM,  finds  their  operands,  and  sends  these  to  the  appropriate  system 
component:  the  RAM,  the  SM,  or  a  functional  unit  (for  data-processing 
and  I/O  operations) . 


r 


Functional  I 
Units  \ 


Proposed  Computer  System  Organization 
Figure  1.1-4 


There  are  ample  precedents  for  this  development.  The  performance  of 


many  small  mini-computers  can  be  improved  by  shifting  the  execution  of 
floating-point  operations  from  software  routines  into  a  hardware  functional 
unit  [26].  The  importance  of  the  stack,  a  simple  dynamic  structure,  has 
prompted  the  inclusion  in  many  instruction  sets  of  special  push  and  pop 
operations,  which  replace  sequences  of  two  or  three  conventional  instruc¬ 
tions  [36].  In  the  SYMBOL  machine,  strings  are  manipulated  directly  by  a 
separate  unit  called  the  Memory  Controller  [29].  There  are  machine 
instructions  to  fetch  an  addressed  group  of  eight  bytes  and  return  the 
address  of  the  following  (or  preceding)  group  in  the  string,  and  to  append 
or  insert  a  group  into  a  string.  A  structure  may  be  formed  by  storing  the 
address  of  one  string  in  another  string.  String  storage  space  is  allocated 
automatically  (by  hardware)  as  it  is  needed,  and  a  single  instruction  will 
deallocate  all  storage  occupied  by  a  string,  even  if  it  is  structured. 

The  SM  envisioned  here  would  extend  the  concept  of  this  Memory  Controller 
to  encompass  the  manipulation  of  structures  with  selectors  (so  that  a 
program  need  not  fetch  and  search  an  entire  structure  to  find  a  given 
element) . 

To  minimize  the  amount  of  information  which  must  be  moved  between  the 
CU  and  the  SM,  all  dynamic  structures  will  be  stored  within  the  SM. 
References  to  stored  structures  will  be  communicated  outside  the  SM  by 
means  of  pointers .  A  pointer  is  an  arbitrary  bit  string  which  is 
associated  by  the  SM  with  a  unique  structure  stored  therein.  Pointers 
have  no  intrinsic  meaning  outside  the  SM;  therefore,  it  is  important 
that  other  units  of  the  computing  system  merely  pass  pointers  around, 
never  attempting  to  perform  operations  (e.g.,  arithmetic)  on  them. 

l 
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The  implementation  of  an  SM  would  probably  store  a  structure  by 
physically  associating  with  its  pointer  a  content .  The  content  for  the 
structure  {v, (s^,e^) , . . . , (sn,en) }  consists  of  a  bit  string  encoding  of  the 
atom  v  and  the  ordered  pairs  (s^,p^) , . . (8n»Pn) ,  where  p^  is  the  pointer 
to  e^,  i«l,...,n.  The  entire  content  would  be  stored  in  physically- 
adjacent  locations,  to  minimize  the  effort  required  to  search  it  for  a 
given  selector.  This  implies  that  a  content  may  have  to  be  moved  to 
another  set  of  physical  locations,  if  it  or  another  stored  content  changes 
size  (through  an  operation  such  as  that  illustrated  in  Figure  1.1-3),  or 
if  the  storage  space  becomes  fragmented  [10].  Therefore,  the  pointer 
associated  with  a  structure  cannot  be  treated  simply  as  an  unchanging 
physical  address  of  the  structure's  content.  A  mobile  content  can  be 
located  only  if  there  is  a  key  stored  within  it  (or  adjacent  to  it)  by 
which  it  can  always  be  recognized;  the  obvious  choice  for  a  key  is  the 
pointer  to  the  structure  for  which  this  is  the  content.  The  SM  therefore 
must  contain  an  associative  memory,  one  which  can  compare  a  given  key  (the 
search  key)  against  all  stored  keys  and  return  the  locations(s)  of  any 
matching  key(s) .  The  associative  memory  would  return  the  location  storing 
that  key;  the  content  of  the  structure  is  then  known  to  occupy  locations 
adjacent  to  that. 

There  are  two  basic  techniques  for  implementing  an  associative 
memory:  parallel  and  serial.  In  the  former,  all  stored  keys  are  compared 
against  the  search  key  at  the  same  time;  in  the  latter,  the  stored  keys 
are  compared  one  at  a  time.  The  parallel  method  results  in  the  fastest 
access  time,  but  requires  much  more  hardware:  one  comparator  circuit  per 
stored  key.  The  amount  of  comparator  hardware  needed  by  the  serial 


technique  is  negligible,  but  finding  a  match  may  entail  making  a  complete 
pass  through  the  memory,  comparing  against  every  stored  key. 

The  performance  of  the  inexpensive  serial  associative  memory  can  be 
greatly  improved  by  adding  comparators  dedicated  not  to  different  stored 
keys,  as  in  the  fully-parallel  approach,  but  to  different  search  keys  [18]. 
Then  as  the  stored  keys  are  retrieved,  one-by-one,  from  the  serial  memory, 
each  can  be  compared  to  several  search  keys  simultaneously.  The  guaranteed 
number  of  matches  per  complete  pass  through  the  memory  is  thus  increased 
from  one  to  the  number  of  search  keys  available  at  the  start  of  the  pass. 

The  search  keys  given  to  the  associative  memory  in  the  SM  are  pointer 
operands  of  structure  operations.  Exploiting  the  ability  to  search  for 
several  keys  at  once  requires  the  following:  the  operands  of  executions  of 
several  operations  can  be  sent  out  from  the  CU  to  the  SM  without  the 
results  of  any  of  the  executions  having  been  returned;  in  this  case,  those 
operations  are  defined  to  be  concurrent.  The  simplest  example  of  concur¬ 
rent  operations  is  seen  in  the  evaluation  of  the  expression  (a+b)*(c+d). 

The  operands  of  the  multiplication  cannot  be  sent  out  until  the  results  of 
the  two  additions  have  been  returned;  therefore,  the  multiplication  is  not 
concurrent  with  either  of  the  other  operations.  However,  the  operands  of 
both  additions  can  be  sent  out  before  the  results  of  either  have  been 
returned;  i.e.,  the  two  additions  are  concurrent. 

There  are  at  least  three  possible  reasons  for  which  concurrent  oper¬ 
ations  may  be  desirable  or  necessary:  In  a  very  slow  device  such  as  a 
serial  associative  memory,  the  total  time  required  to  execute  a  set  of 
concurrent  operations  can  be  reduced  by  a  factor  as  large  as  the  size  of 
the  set.  While  a  reduction  this  large  is  by  no  means  assured,  total 
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execution  tine  does  generally  decrease  as  the  number  of  concurrent  oper¬ 
ations  increases.  Secondly,  a  fully-parallel  associative  memory  might 
provide  structure  operations  which  are  as  fast  as  any  other  operations,  but 
between  executions,  this  expensive  device  would  sit  idle.  As  the  number  of 
concurrent  operations  increases,  the  number  of  operations  executed  per  unit 
time  Increases;  this  greater  utilization  can  be  a  strong  economic  Incentive 
for  concurrency.  Finally,  there  are  applications  which  are  Inherently 
concurrent,  such  as  real-time  systems  responding  to  external  events.  Since 
these  events  can  occur  in  any  order,  the  operations  they  Invoke  must  be 
able  to  execute  in  any  order. 

These  arguments  for  concurrency  are  offset  in  the  case  of  structure 
operations  by  a  peculiar  danger:  concurrency  may  compromise  a  program's 
functionality.  A  functional  program  is  one  which,  every  time  it  is  run  on 
the  same  inputs,  produces  the  same  outputs.  The  simplest  example  of  the 
danger  is  the  case  of  a  Fetch  and  an  Assign  operation  which  necessarily 
operate  on  the  same  structure.  If  these  are  concurrent  operations,  then 
the  order  in  which  they  are  executed  by  the  SM  is  not  fixed.  If  the  Fetch 
is  executed  first,  it  returns  the  atom  in  the  structure's  original  content; 
if  it  is  executed  second,  it  returns  the  new  atom  stored  by  the  Assign 
execution.  Thus,  in  two  runs  of  a  program  on  the  same  input,  the  same 
execution  may  have  a  different  result,  which  may  in  turn  lead  to  different 
program  outputs.  I.e.,  concurrent  operations  on  the  same  structure  may 
cause  a  program  to  be  non-functional. 

The  goal  of  the  thesis  is  to  specify  s  Structure  Memory  which  supports 
concurrent  operations  in  such  a  way  that  it  is  easy  to  guarantee  that  they 
do  not  induce  non-functionality.  Nothing  more  will  be  offered  on  the 
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subject  of  implementing  the  SM;  the  only  concern  is  for  specifying  an  oper¬ 
ation's  results  returned  from  the  SM  as  a  function  of  the  preceding 
sequence  of  operands  sent  to  the  SM.  The  primary  design  criterion  is  to 
maximize  the  allowable  concurrency  of  structure  operations,  consistent  with 
functionality.  The  secondary  criterion  is  to  minimize  the  computational 
complexity  of  distinguishing  functional  from  non-functional  programs,  if 
both  are  possible. 

It  is  assumed  that  the  SM  is  used  in  conjunction  with  a  CU  in  which 
any  two  structure  operations  which  could  be  concurrent  are  concurrent. 

The  capabilities  of  a  CU  vis-a-vis  concurrent  operations  are  expressed 
abstractly  by  a  model  of  concurrent  (or  parallel)  computation,  consisting 
usually  of  two  components: 

1.  A  parallel-programming  language,  a  collection  of  programs  each 
consisting  of  (a)  a  set  of  instructions,  (b)  a  diagram  of  where  an 
instruction  gets  its  operands  and  where  its  results  go  (the  data 
flow) ,  and  (c)  a  diagram  of  which  instructions'  results  must  be 
returned  before  which  other  instructions'  operands  can  be  sent 
(the  control  flow) . 

2.  A  method  for  generating  descriptions,  to  some  level  of  detail,  of 
the  possible  behaviors  of  the  CU  (computations)  when  given  any 
program  in  the  language  and  any  input  to  that  program. 

Although  for  clarity,  results  are  derived  using  a  specific  model,  it  is 
desired  that  the  SM  specification  be  expressed  as  abstractly  as  possible, 
i.e.,  divorced  from  any  particular  model  of  concurrent  computation. 
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1.2  Plan  of  the  Thesis 

Chapter  2  contains  a  precise  statement  of  the  goal  of  the  thesis  and 
of  the  approach  taken  to  achieving  that  goal.  It  also  formally  introduces 
the  data  flow  model  of  concurrent  computation  (so  called  because  the  same 
diagram  which  shows  a  program's  data  flow  also  specifies  its  control  flow) 
Data  flow  was  chosen  as  the  concrete  model  in  which  to  derive  results  for 
three  reasons:  (1)  it  provides  the  simplest  and  most  natural  expression 
of  concurrency,  (2)  all  data-flow  programs  having  no  structure  operations 
are  automatically  functional  [12],  and  (3)  there  are  several  efforts  under¬ 
way  to  implement  a  Control  Unit  based  on  the  data  flow  model  [4,  8,  15, 

20.  33,  35]. 

The  mechanism  for  generating  computations  is  a  non-determlnistic 
automaton  called  an  interpreter .  The  interpreter  is  defined  by  (1)  a  set 
of  possible  states,  and  (2)  a  non-deterministic  state-transition  rule, 
specifying  how  any  state  is  transformed  into  any  of  one  or  more  possible 
next  states.  A  program  P  together  with  an  input  to  P  establishes  an 
initial  interpreter  state.  The  computations  are  the  possible  state 
sequences  generated  from  this  initial  state  by  successive  applications  of 
the  state-transition  rule.  Every  final  state  of  one  of  these  sequences 
describes  a  program  output  for  P;  if  P  is  non-functional,  then  different 
state  sequences  starting  in  the  same  initial  state  may  lead  to  different 
final  states. 

Several  data-flow  languages  and  Interpreters  are  developed  in  the 
thesis.  The  first  language  described  is  the  basic  data-flow  language  . 


A 


This  is  assumed  to  include  an  unspecified  complement  of  operations  on 
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acomlc  data,  aa  well  as  control  constructs  for  conditional  branching  and 
looping.  The  two  languages  L^v  and  Lgg  are  then  formed  by  augmenting 
with  two  similar  systems  of  data-structuring  operations:  the  Structure-as- 
Value  (S-V)  and  the  Structure-as-Storage  (S-S)  systems.  Computations  are 
generated  from  programs  in  all  three  languages  by  the  single  standard 
data-flow  Interpreter . 

The  S-V  and  S-S  systems  illustrate  two  approaches  to  achieving  the 
goal  of  the  thesis.  The  fundamental  difference  between  them  can  be 
explained  by  reference  to  Figure  1.1-3.  Part  (a)  of  the  Figure  shows  two 
structures  which  are  to  be  "combined"  into  the  single  structure  of  part 
(b) .  The  S-S  system  includes  an  operation  (Update)  which  will  change  the 
stored  content  of  the  larger  original  structure  m,  adding  an  ordered  pair 
consisting  of  the  selector  ’d'  and  the  pointer  to  the  smaller  structure. 
Thus  the  same  pointer  (to  m)  points  to  different  structures  at  different 
times.  The  S-V  system,  on  the  other  hand,  contains  no  operation  which  can 
change  the  content  of  a  structure  after  a  pointer  to  the  structure  has  been 
returned  from  the  SM.  Instead,  the  S-V  operation  Append  accomplishes  the 
effect  pictured  in  Figure  1.1-3  by  creating  a  distinct  new  structure  n, 
whose  stored  content  equals  m's  content  with  the  new  selector-pointer  pair 
added.  Once  a  pointer  to  n  is  returned  from  the  SM,  it  always  points  to  a 
structure  identical  to  that  in  Figure  l.l-3(b),  while  the  pointer  to  m 
continues  to  point  to  a  structure  identical  to  the  larger  one  in  Figure 
l.l-3(a) . 

The  difference  between  the  S-V  and  S-S  systems  with  regard  to  the 
goal  of  the  thesis  can  be  stated  succinctly:  Given  two  programs,  one  in 
Lbv  and  one  in  LBg,  to  do  the  same  thing,  the  Lgg  program  may  have  more 
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concurrency,  but  it  also  may  be  non-functional;  the  Lgy  program  is  neces¬ 
sarily  functional.  I.e.,  solves  the  problem  of  guaranteeing  function¬ 
ality,  but  at  the  cost  of  some  potential  concurrency;  Lno  recovers  this 
loss,  but  in  so  doing  permits  additional  concurrency  which  may  induce  non¬ 
functionality.  This  inspires  the  search  (in  Chapter  3)  for  a  third 
language-interpreter  combination  which  eliminates  from  L_c  just  the 
dangerous  concurrency.  For  every  Lgy  program  P  (which  is  necessarily 
functional),  there  is  a  functional  program  P*  in  the  new  language  which  is 
equivalent  to  P  (i.e.,  which  produces  the  same  outputs  given  the  same 
inputs);  furthermore,  P'  contains  much  (if  not  all)  of  the  safe  concurrency 
missing  from  P.  Formal  definitions  of  a  functional  data-flow  program  with 
data  structures  and  of  equivalence  between  two  such  programs  are  given  at 
the  end  of  Chapter  2. 

Chapter  3  conmences  with  a  study  of  the  cause  of  non-functionality  in 
LgS  programs  on  the  standard  interpreter:  conflict.  Certain  pairs  of  con¬ 
current  operations  (e.g.,  a  Fetch  and  an  Assign)  conflict  if  it  is  possible 
that  equal  pointer  operands  to  executions  of  the  operations  are  in  the  SM 
at  the  same  time.  The  easiest  way  to  guarantee  functionality  is  to 
eliminate  all  possible  conflicts.  This  results  in  a  determinate  program, 
one  in  which  each  execution  always  has  the  same  operands  and  always 
produces  the  same  results  in  all  computations  on  a  given  program  input. 

A  novel  new  two-pronged  technique  for  insuring  freedom  from  conflict 
in  an  Loc  is  then  developed.  First,  each  program  is  rewritten  to  satisfy 
the  Determinacy  Condition  and  the  Read-Only  Condition;  the  subset  of  all 
Lgg  programs  satisfying  both  is  denoted  Lp.  Secondly,  the  interpreter  is 
modified  to  delay  return  of  the  pointer  result  of  a  Select  execution  until 
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certain  previously- re turned  pointers  to  the  same  structure  have  been  input 
by  other  executions.  It  is  argued  that  every  program,  running  on  the 
modified  interpreter,  is  functional;  the  remainder  of  the  thesis  is  devoted 
largely  to  a  rigorous  proof  of  this  claim.  The  final  section  of  Chapter  3 
presents  an  algorithm  to  translate  any  LgV  program  P  into  an  LQ  program  P', 
and  proves  that  if  P*  is  functional,  then  it  is  equivalent  to  P. 

Chapter  4  introduces  a  radically-dif f erent  model  of  concurrent  compu¬ 
tation,  the  entry-execution  model .  As  noted  earlier,  existing  models 
concentrate  on  the  data  and  control  flow  of  a  program,  virtually  ignoring 
the  actual  operations  performed  by  most  of  the  instructions.  The  new  model 
ignores  data  and  control  flow,  focusing  instead  on  defining  operations  and 
the  effects  of  their  concurrent  execution.  A  computation  in  the  entry- 
execution  model  consists  of  a  sequence  of  entries,  the  operand  and  result 
values  of  executions,  arranged  in  an  order  in  which  they  might  be  sent  from 
and  returned  to  the  Control  Unit.  An  algorithm  is  presented  for  con¬ 
structing,  from  any  data-flow  language  L  and  interpreter  I,  the  entry- 
execution  model  EE(L,I);  this  serves  a  dual  role:  as  a  concrete  example  of 
such  a  model,  and  as  the  first  step  in  applying  the  formal  results  to  LQ 
running  on  the  modified  interpreter  M. 

Chapter  5  develops  a  Structure-as-Storage  (S-S)  entry-execution  model. 
This  demonstrates  the  principle  (for  which  the  entry-execution  model  is 
particularly  appropriate)  of  defining  a  set  of  operations  by  specifying 
how  the  results  of  an  execution  depend  on  the  preceding  sequence  of 
executions'  operands.  This  definition  does  not  incorporate  the  concept  of 
a  data  structure;  it  is  simply  a  description  of  the  input/output  behavior 
expected  of  an  SM  which  stores  the  structures  and  performs  the  operations 
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described  earlier.  Therefore,  the  Chapter  also  shows  how  to  make  the 
connection  between  the  abstract  model  and  concrete  data  structures  which 
can  be  visualized. 

Chapter  6  first  defines  determinacy  in  entry-execution  terms.  It  then 
presents  seven  Determinacy  Axioms,  and  proves  quite  generally  that  if  any 
S-S  model,  of  any  concurrent  computing  system,  satisfies  these  axioms,  then 
it  is  determinate.  Six  of  the  axioms  are  standard:  their  importance  to 
guaranteeing  determinacy  in  systems  without  data  structures  (including 
data  flow)  has  long  been  appreciated .  The  seventh  axiom  embodies  the 
requirement  for  freedom  from  conflict  between  data-structuring  operations. 

Chapter  7  uses  the  result  in  Chapter  6  to  prove  that  running  on 
the  modified  interpreter  is  functional.  This  is  done  in  three  steps: 

(1)  verifying  that  EE(Lp,M)  is  an  S-S  model,  (2)  proving  that  EE(Lp,M) 
satisfies  the  seven  Determinacy  Axioms,  and  (3)  showing  that  the  algorithm 
by  which  EE(LD,M)  was  constructed  could  have  produced  a  determinate  model 
only  if  every  program  running  on  M  is  functional.  This  leads  to  the 
final  conclusion  that  the  translation  in  Chapter  3  from  to  Lp  does 
produce  equivalent  programs . 

Chapter  8,  the  final  chapter,  summarizes  the  developments  in  the 
thesis,  evaluates  how  well  these  meet  the  goals,  and  provides  suggestions 
for  further  research. 
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1.3  Related  Work 

This  section  surveys  past  research  on  the  topic  of  a  Structure  Memory 
and  the  problem  of  guaranteeing  functionality  in  the  face  of  concurrent 
structure  operations.  A  characterization  of  existing  models  of  concurrent 
computation  is  provided  as  a  prelude  to  the  introduction  of  the  entry- 
execution  model,  in  Section  4.1. 

Gertz  [18]  studied  the  implementation  of  an  SM  using  associative 
memories.  His  Generalized  Information  Structure  (GIS)  was  the  same  as  that 
defined  here  (Definition  2.2-1)  (except  that  directed  cycles  are  not 
allowed).  His  choice  of  operations  was  unusual,  however,  because  he  was 
primarily  interested  in  storing  data-flow-like  programs  in,  and  executing 
them  out  of,  the  SM.  The  major  results  included: 

1.  the  design  of  a  system  to  execute,  directly  from  the  SM,  GIS 
representations  of  parallel  programs.  Including  multiple  concurrent 
activations  of  a  single  procedure,  and 

2.  the  development  and  analysis  of  stochastic  models  of  modular, 
hierarchical  SM's  constructed  of  associative  memories. 

He  did  not  directly  address  the  issue  of  guaranteeing  functionality. 

Hawryszkiewycz  [21]  developed  a  scheme  for  coordinating  concurrent 
operations  on  a  data  base.  He  began  by  mapping  relational  data  bases  [7] 
onto  data  structures  like  those  being  used  here.  He  then  gave  a  set  of 
semantic  procedures ,  sequences  of  structure  manipulations  which  implement 
operations  on  relations.  His  primary  correctness  criterion,  though  a 
little  weaker,  was  not  fundamentally  different  from  the  requirement  of 
functionality:  The  overlapped  execution  of  two  semantic  procedures  on  the 
structure  representing  a  relation  should  result  in  the  same  transformation 


-28- 


as  if  one  procedure  (the  first  one  Invoked)  had  completed  before  the  other 
one  had  started.  His  solution  to  the  coordination  problem  was  very  similar 
to  the  one  proposed  herein  (which  was  independently  developed);  it  was, 
however,  less  simple  and  general,  for  the  following  reasons: 

1.  His  model  of  concurrent  computation  was  based  on  present  capabili¬ 
ties:  sequential  processes  synchronized  by  semaphores.  This  necess¬ 
itated  much  attention  to  details  (setting  and  testing  locks,  queuing 
up  suspended  processes)  which  tended  to  obscure  the  innovative 
mechanism.  In  the  data-flow  model,  these  effects  are  achieved  much 
more  easily. 

2.  He  had  additional  criteria  for  correct  coordination,  requiring  a 
mechanism  more  elaborate  than  would  be  necessary  for  simple 
functionality. 

3.  His  coordination  method  was  specialized  to  a  particular  set  of 
semantic  procedures;  it  is  not  clear  how  this  would  be  generalized 
to  arbitrary  concurrent  computations. 

The  Structure-as-Storage  operations  were  introduced  by  Dennis  in  [11]. 
This  paper  recognized  the  danger  of  non-functionality  and  suggested  (as  in 
the  present  work)  eliminating  it  through  a  combination  of  program  restric¬ 
tions  and  interpreter  modifications.  The  program  restrictions  (which  were 
extended  in  [17])  were  essentially  the  Determlnacy  and  Read-Only  Condi¬ 
tions.  The  Interpreter  modification,  however,  was  far  more  extensive  than 
that  proposed  here:  The  standard  interpreter  passes  data  and  permission 
to  execute  from  one  program  instruction  to  another,  in  one  direction;  the 
modification  of  [11]  required  that  permission  to  execute  also  be  passed 
back  in  the  other  direction,  at  least  between  structure  operations. 
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Maximal  concurrency  is  provided  at  the  expense  of  greatly-increased 
execution  time  for  structure  operations  by  the  interpreter  modifications 
devised  by  Campbel 1-Grant  [13].  His  technique  involved  maintaining,  for 
every  pointer  variable  v,  a  list  of  all  structures  reachable  from  that 
pointed  to  by  the  current  value  of  v.  In  general,  every  Select  and  Update 
execution  will  require  changing  one  of  these  lists,  incurring  enormous 
overhead . 

Both  Rumbaugh  [31]  and  Ackerman  [1]  offered  sets  of  Structure-as-Value 
operations  which  were  more  complex  than  those  in  LRy,  due  presumably  to  a 
stronger  desire  for  programming  ease  and  implementation  efficiency.  Both 
assumed  that  a  structure's  content  consists  of  a  fixed  number  of  elements, 
each  of  which  can  be  either  an  atom  or  a  pointer;  selectors  were  limited 
to  consecutive  integers.  Select  and  Append  operators  could  read  atoms  as 
well  as  pointers  (eliminating  the  need  for  the  Fetch  and  Assign  opera-  ■ 
tions) .  Ackerman  provided  just  the  Select  and  Append;  Rumbaugh  constructed 
more  complex  operations  out  of  these.  Both  presented  conceptual  designs 
for  at  least  part  of  the  SM  hardware  (the  ref er ence-counting  mechanism, 
explained  in  Section  8. 2. 1.1). 

All  of  the  Structure-as-Value  systems  (Rumbaugh's  and  Ackerman's,  as 
well  as  the  simpler  Lgv)  pay  the  same  price  for  guaranteed  functionality: 
the  loss  of  structure  concurrency  (as  explained  at  the  end  of  Section  2.2.2, 
structure  concurrency  is  the  ability  to  read  one  sub-structure  of  a 
structure  while  another  one  is  being  changed) .  Only  the  modified 
Structure-as-Storage  system  presented  ii?  Chapter  3  will  guarantee 
functionality  while  still  allowing  structure  concurrency. 


-30- 


Chapter  2 

Structure  Operations  and  Concurrency 

This  thesis  studies  concurrent  computations  with  two  fundamentally- 
different  sets  of  structure  operations:  the  Structure-as-Value  (S-V) 
operations  and  the  S true ture-as-S tor age  (S-S)  operations.  The  most 
striking  differences  between  a  program  P  using  S-V  operators  and  an 
apparently-equlvalent  program  P'  using  S-S  operators  are  that: 

1.  P*  exhibits  more  concurrency  than  P,  but 

2.  P’  might  not  be  equivalent  to  P,  because  it  might  not  be  functional. 
This  chapter  defines  the  two  sets  of  structure  operations,  within  the 

framework  of  a  specific  model  of  concurrent  computation  called  data  flow. 
Section  2.1  describes  the  basic  data-flow  language  without  structures,  Lg. 
Section  2.2  defines  the  languages  Lgy  and  Lgs  formed  by  augmenting  LR  with 
the  S-V  and  S-S  operations  respectively.  Section  2.3  illustrates,  through 
the  use  of  examples,  the  two  differences  between  programs  in  and  Lg,,. 
Finally,  Section  2.4  makes  precise  the  primary  goal  of  the  thesis:  To 
develop  a  language,  based  on  Lgg,  in  which,  for  every 
is  a  program  which  is  equivalent  to  P  and  maximally  concurrent. 

2.1  The  Basic  Data  Flow  Model 

As  explained  in  Chapter  1,  a  data-flow  model  consists  of  (1)  a  set  of 
programs ,  constructed  according  to  certain  syntactic  rules,  and  (2)  an 
interpreter,  which  generates  computations,  as  follows:  A  program  together 
with  an  input  to  it  establishes  an  initial  state  of  the  interpreter;  each 
possible  computation  by  that  program  on  that  input  is  an  ensuing  sequence 


Lgy  program  P,  there 
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of  interpreter  states,  generated  according  to  a  state-transition  rule. 

Section  2.1.1  below  describes  the  syntax  of  a  basic  data-flow  language  L  . 

B 

A  single  interpreter  gives  meaning  to  the  programs  in  L_,  L  ,  and  L  ; 

D  oV  US 

this  will  be  known  here  as  the  standard  data-flow  interpreter.  That 
portion  of  it  pertinent  to  programs  in  L^,  which  is  adapted  from  the  model 
first  described  in  [13],  is  defined  in  Section  2.1.2. 

2.1.1  Data-Flow  Programs 

A  data-flow  program  is  a  graph.  The  vertices  of  this  graph  represent 
instructions,  and  the  arcs  represent  local  data  storage. 

Definition  2.1-1  A  program  in  any  data-flow  language  is  a  connected 
directed  graph  over  a  set  of  labelled  vertices  called  actors.  The  unique 
label  of  each  actor  is  drawn  from  an  arbitrary  but  fixed  set  L.  The 
directed  arcs  terminating  on  an  actor  constitute  the  ordered  set  of  input 
arcs  of  that  actor.  The  directed  arcs  emanating  from  an  actor  form  the 
unordered  set  of  output  arcs  of  that  actor.  No  arc  is  an  input  arc  of 
more  than  one  actor,  and  no  arc  is  an  output  arc  of  more  than  one  actor. 
Those  arcs  which  are  not  output  arcs  of  any  actor  are  the  ordered  set  IN 
of  Program  input  arcs;  correspondingly,  the  ordered  set  OUT  of  program 
output  arcs  comprises  all  those  arcs  which  are  not  input  arcs  of  any  actor. 
If  IN  contains  m  arcs  and  OUT  contains  n  arcs,  the  program  is  an  m,n  data¬ 
flow  program. 
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Each  arc  in  a  program  conveys  one  of  two  types  of  information  

data  or  control  —  and  consequently  is  known  either  as  a  data  arc  or  a 
control  arc  (Figure  2.1-1).  All  data  are  drawn  from  an  atomic  value 
domain  V  for  the  language;  control  values  are  either  true  or  false. 

A 

An  input  arc  to  an  actor  d  stores  a  value  until  d  uses  it.  At  that 
time,  the  values  on  all  of  d's  input  arcs  are  removed,  and  used  to  compute 
results  which  are  placed  on  d's  output  arcs.  Thus  d's  results  are 
available  to  just  those  other  actors  of  which  one  of  d's  output  arcs  is 
an  input  arc. 

A  basic  data-flow  language  has  a  minimal  complement  of  control  and 
data-processing  actor  types.  From  these  can  be  constructed  control 
structures  corresponding  to  sequencing,  conditionals,  and  iteration. 

Definition  2.1-2  A  basic  data-flow  language  is  a  data-flow  language 
in  which  all  actors  are  restricted  to  be  from  one  of  the  following 
classes  (illustrated  in  Figure  2.1-2): 

1.  atomic  operator  -  An  operator  has  an  ordered  set  of  ^0  input  arcs, 
and  two  disjoint  sets  of  output  arcs:  the  number-1  group  and  the 
number-2  group.  Either  of  these  groups  (but  not  both)  may  be  empty. 


data  arc  control  arc 

Data-Flow  Program  Arcs 
Figure  2.1-1 


number-2 


operators 


T-gate 


F-gate 


merge  gate 


Actor  Types  in  a  Basic  Data-Flow  Language 
Figure  2.1-2 
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All  arcs  in  each  group  store  one  result  of  an  execution  of  the  actor, 
so  that  each  execution  produces  one  or  two  results.  Usually,  the 
nunber-1  group  will  be  data  arcs,  and  the  number-2  group  will  be 
control  arcs.  This  allows  consistent  treatment  both  of  functions 
(which  produce  data  values)  and  of  predicates  (which  produce  control 
values).  These  two  output  groups  may  be  jointly  defined,  with  a 
true  control  output  signaling  that  the  data  output  Is  meaningful; 
examples  of  the  use  of  such  hybrid  operators  will  be  seen  later. 

Each  r-lnput  operator  In  a  program  has  associated  with  It  a  total 
function: 

Vr  -►  ¥x{ true, false)  or  Vr  -►  VxV 
Whenever  the  operator  is  executed,  the  values  stored  on  its  r-tuple 
of  input  arcs  are  combined  to  form  the  input  r-tuple  to  the  function. 
The  values  in  the  resulting  output  pair  are  then  placed  on  the 
number-1  and  number-2  output  arcs,  respectively. 

2.  T-gate  and  F-gate  actors. 

3.  merge  actors. 

4.  Boolean  actors  and,  or,  and  not. 

These  last  three  types  of  actors  control  the  flow  of  data  through 
a  program.  Their  operation  Is  described  in  greater  detail  In  the 
following  subsection. 


A 
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Figure  2.1-3  Is  a  simple  example  of  a  program  In  a  basic  data-flow 
language.  It  computes  the  value  of  the  expression  (a+b)*(c-d) .  The 
four  arcs  in  IN  have  been  labelled  a,  b,  c,  and  d  to  Indicate  the  input 
variable  for  which  the  arc  represents  storage.  The  2-tuple  of  input  arcs 
of  the  non-commutatlve  subtraction  operator  has  been  indexed. 

Informally,  a  computation  by  this  program  proceeds  according  to 
the  following  rules:  At  any  time  after  the  values  of  inputs  a  and  b  are 
stored  on  their  respective  input  arcs,  the  addition  operator  "fires".  That 
is,  it  removes  a  pair  of  values  from  its  input  arcs,  applies  its  associated 
function  (addition)  to  this  pair,  and  places  the  result  on  its  output 
arc.  The  subtraction  operator  acts  similarly.  Since  none  of  the  data 
needed  by  a  firing  of  one  of  these  or  rators  is  produced  by  the  other, 
the  operators  are  concurrent.  Finally,  when  the  outputs  of  both  the 
addition  and  subtraction  are  available,  the  multiplication  operator  is 
enabled  to  fire. 

a  1  b 


+ 


A  Simple  Data-Flow  Program 
Figure  2.1-3 
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A  particular  basic  data-flow  language  is  distinguished  solely  by 
its  atomic  value  domain  V  and  the  functions  available  for  operators* 
Typical  would  be  the  elementary  data  types  and  operations  of  standard 
programming  languages:  integer  and  floating-point  arithmetic  and  string 
manipulations.  The  only  element  presupposed  in  this  thesis  is  a  distinc¬ 
tive  value  in  V  denoted  by  undef .  A  token  with  this  value  might  be 
output  as  a  result  of*  e.g.,  attempting  to  divide  by  zero.  It  is 
assumed  that  an  otherwise  arbitrary  choice  of  V  and  of  the  data-processlng 
functions  has  been  made;  the  resultant  basic  data-flow  language  will  be 
denoted  Lg.  The  next  subsection  defines  that  portion  of  the  standard 
interpreter's  state  and  state-transition  rule  involved  in  interpreting 
programs  from  Lg. 

2.1.2  State  Transitions 

A  computation  by  a  program  P  from  1^  Is  a  sequence  of  states  of 
the  standard  data-flow  Interpreter.  The  only  non-empty  component  of 
the  standard  interpreter  state  when  interpreting  P  will  be  a  configuration 
for  P.  This  simply  tells  what  arcs  hold  what  values.  Each  transition 
from  one  state  to  the  next  in  a  sequence  involves  removing  old  values 
from  some  arcs  and  placing  new  values  on  other  arcs;  the  graph  containing 
these  arcs,  which  is  P,  remains  constant. 

Definition  2.1-3  A  configuration  of  a  data-flow  program  P  from  L_  is: 

1  O 

1.  P,  plus 


2.  an  association  of  a  value  from  Vor  the  symbol  null  with  each 
data  arc  of  P,  plus 
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3. 


an  association  of  a  symbol  from  the  set  {true,  false,  null } 
with  each  control  arc  of  P. 


Figure  2.1-4  Is  an  example  of  an  ALGOL  program  and  a  configuration 
of  the  equivalent  2,1  data-flow  program.  (This  program  computes  the 
sum  of  the  first  N  positive  integers;  Its  Interpretation  is  explained 
shortly.)  A  solid  circle  is  drawn  on  each  arc  with  which  is  associated 
a  non-null  value,  and  a  symbol  denoting  that  value  is  written  beside 
the  circle.  These  circles  are  called  data  tokens,  true  tokens,  and 
false  tokens ,  according  to  the  associated  value.  The  figure  depicts 
an  initial  configuration  for  the  program:  all  program  input  arcs  have 
tokens  on  them,  as  do  certain  control  arcs. 


Data  Flow  ALGOL 

Two  Equivalent  Programs 
Figure  2.1-4 
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Each  of  Che  state  transitions  occurring  in  interpreting  a  program  P 
from  Lg  will  involve  re-distributing  the  tokens  on  the  input  and  output 
arcs  of  a  single  actor  in  the  configuration  of  P;  this  is  known  as 
"firing"  the  actor.  The  distributions  just  before  and  after  a  firing  of 
an  actor  depend  on  the  type  of  the  actor,  as  depicted  in  Figure  2.1-5. 
The  state-transition  rule  is  given  in  the  following  two  definitions. 

Definition  2.1-4  The  leftmost  of  each  pair  of  token  distributions  shown 
in  Figure  2.1-5  is  the  enabled  condition  for  a  particular  type  of  actor. 
In  general,  an  actor  is  enabled  (to  fire)  just  when  all  its  input  arcs 
have  tokens  on  them  and  all  its  output  arcs  are  empty.  The  sole 
exception  is  the  merge  gate.  This  requires  a  data  token  on  only  one 
data  input  arc;  which  arc  depends  on  the  value  of  the  control  token. 

A 

Definition  2.1-5  That  portion  of  the  state-transition  rule  of  the 
standard  data-flow  Interpreter  which  is  pertinent  to  programs  from 
Lg  is: 

Given  a  state  in  a  computation  sequence,  each  possible  next  state 
in  that  sequence  is  found  by: 

1.  Select  one  enabled  actor  d  In  the  configuration  of  the  state. 

2.  If  that  actor  is  one  of  the  types  allowed  in  t»  ,  then  the  next 

o 

state  is  identical  except  for  the  input  and  output  arcs  of  d. 
These  are  re-configured  as  in  the  diagram  paired  with  the 
enabled  condition  in  Figure  2.1-5.  The  values  of  the  newly- 
created  tokens  are  found  as  follows,  depending  on  the  type  of  d: 


and/or  not 

Firing  Rules  for  Data-Flow  Actors 
Figure  2.1-5  (cont’d) 

a.  operator  -  The  function  associated  with  d  is  applied  to  the 
r-tuple  of  atomic  values  of  the  tokens  removed  from  d's 
ordered  set  of  r  input  arcs.  The  resultant  two  values  are 
placed  on  all  of  d’s  number-1  and  number-2  output  arcs. 

b.  T-gate  and  F-gate  -  The  value  of  the  output  data  token,  if  any, 
is  equal  to  the  value  of  the  input  data  token. 

c.  merge  gate  -  The  value  of  the  output  data  token  is  equal  to 
the  value  of  that  input  data  token  which  is  removed  in  the 
firing.  Any  token  on  the  other  data  input  arc  is  undisturbed. 

d.  Boolean  actors  -  These  actors'  outputs  are  defined  in  the 
usual  manner. 

A 

The  gate  actors  —  T-gates,  F-gates,  and  merge  gates  —  are  used 
together  to  control  flow  of  data  along  alternate  paths,  thereby  causing 
the  performance  of  alternate  computations.  Figure  2.1-6  depicts  schema¬ 
tically  a  conditional  (if-then-else)  construction.  This  is  an  m,n  program; 
the  subprograms  and  are  m^,n  and  programs  respectively.  The 
decider  D  is  an  m^,l  program  which  produces  a  control  output  from  m^  data 


Inputs.  Of  the  m  program  inputs,  a  subset  of  size  m^  are  taken  through 
T-gates  to  become  the  inputs  to  S^,  of  them  are  taken  through  F-gates 
to  become  the  inputs  to  S2  >  and  are  taken  directly  to  be  inputs  to  D. 
Each  of  the  m  program  inputs  must  be  an  input  to  at  least  one  of  a  T-gate, 
F-gate,  or  D.  There  are  n  merge  gates,  each  having  as  inputs  one  output 
from  each  of  and  S^*  The  connections  from  the  output  of  D  to  the 
control  inputs  of  all  the  gates  have  been  omitted  for  clarity.  Whenever 
D  outputs  a  true,  gets  m^  inputs  from  among  the  m  program  Inputs;  the 
n»2  F-gate  Inputs  simply  disappear.  The  resulting  n  outputs  of  even¬ 
tually  appear  on  the  T  Inputs  of  distinct  merge  gates.  Since  these  gates 
also  have  true  inputs,  the  n  program  outputs  are  those  produced  by  S^. 

Gates  are  also  used  to  form  the  iteration  construct,  a  specific 
example  of  which  is  found  in  Figure  2.1-4.  The  interpretation  of  this 
program  can  be  explained  as  follows:  In  any  configuration,  just  one  arc 
on  each  of  the  two  directed  cycles  will  have  a  token  associated  with  it. 

The  value  of  the  token  in  the  left-hand  cycle  is  the  value  of  sum;  the 
value  in  the  right-hand  cycle  is  the  value  of  i.  In  the  initial  config¬ 
uration,  both  merge  gates  and  M2  have  false  control  inputs,  conditioning 
them  to  output  the  values  found  on  their  F  inputs.  These  latter  values 
are  the  program  inputs  0  and  N  respectively. 

In  the  initial  configuration,  just  and  M2  are  enabled  to  fire. 

til 

Firing  M^  enables  P.  On  all  but  the  N  iteration,  P  outputs  a  true. 

This  enables  the  T-gates  1^  and  1^  to  inject  the  current  values  of  sum 
and  i^  into  their  respective  loops;  it  also  disables  1^  from  producing  a 
program  output,  and  conditions  M^  and  M2  to  receive  tokens  on  their 


T  inputs.  0^  is  enabled  as  soon  as  I  fires;  the  firing  of  0^  places  the 
next  value  of  i  on  M^'s  T  input.  0^  is  enabled  after  both  1^  and  have 
fired;  its  firing  places  the  sum  of  the  current  values  of  sum  and  i_  on 
Mj's  T  input. 

Thus  each  pair  of  firings  of  and  M2  causes  the  eventual  re-enabling 

of  those  operators,  with  new  inputs  equal  respectively  to  the  sum  of  their 

st 

last  outputs,  and  to  one  less  than  M2' s  last  output.  After  the  N+l  pair 
of  firings.  P's  input  is  no  longer  greater  than  zero,  so  all  gates  get 
false  tokens.  The  T-gates  1^  and  1^  will  then  choke  off  the  loops,  so 
that  M^  and  M2  do  not  get  T  inputs.  1^  will  output  the  most  recent  value 
of  sum,  which  is  the  program  output.  Finally,  M^  and  M2  are  re-initialized 
with  false  inputs.  All  internal  (not  program  input  or  output  arcs)  are 
now  as  in  the  initial  configuration,  so  the  program  is  ready  to  perform 
the  same  computation  on  the  next  set  of  program  inputs. 

This  completes  specification  of  the  basic  data-flow  language  Ln  and 

D 

of  that  portion  of  the  standard  Interpreter  involved  ln  interpreting  it. 

The  next  section  now  introduces  data-flow  languages  containing  two 
alternative  sets  of  structure  operations. 

2.2  Structure  Operations 

This  section  defines  two  languages:  the  data-flow  language  with 
structures  as  storage,  L^g,  and  the  data-flow  language  with  structures 
as  values,  L^.  Each  of  these  is  an  extension  of  L^.  Computations  for 
both  are  generated  by  the  single  standard  data-flow  interpreter.  The  state 
of  this  interpreter  has  two  components:  1)  the  configuration,  which  has 


just  been  defined,  and  2)  the  heap,  vhlch  is  composed  of  all  data  structures 
which  can  be  processed  by  subsequent  computation.  The  heap  Is  defined 
first,  followed  by  the  definition  of  the  structure  operators  in  and 
Lgg,  which  interact  with  the  heap. 

2.2.1  The  Heap 

The  heap  takes  the  form  of  a  directed  graph  with  labels  on  mil 
branches  and  atomic  values  stored  at  some  nodes  (Figure  2.2-1).  The 
labels  on  the  branches,  termed  selectors,  are  drawn  from  a  set  2  of  atomic 
values  (typically,  2  consists  of  the  integers  and  the  character  strings.) 

No  two  branches  emanating  from  the  same  node  may  be  labelled  with  the  same 
selector.  Formally: 


A  Heap 
Figure  2.2-1 
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Definltion  2.2-1  N  is  an  infinite  set  of  abstract  entities  called  nodes. 

V  is  a  subset  of  the  atomic  value  domain  V.  The  elements  of  V 
P  P 

are  pointers. 

The  set  £  of  selectors  is  a  subset  of  V-Vp,  on  which  has  been  imposed 
an  arbitrary  but  fixed  total  ordering  <. 

The  heap  component  of  the  state  of  the  standard  data-flow  interpreter 
is  an  ordered  triple 

(N,  n.  SM) 

where: 

N  c  N  is  a  finite  set  of  active  nodes  (the  remaining  nodes  of  N 
are  free) 
n:  V  N 

is  a  one-to-one  onto  mapping  from  pointers  to  active  nodes. 

SM  is  a  function  which  maps  each  active  node  into  a  content. 

* 

A  content  is  a  set  containing: 

a)  one  value  from  V- or  the  symbol  nil,  and 

b)  zero  or  more  ordered  pairs  from  £xN, 
constrained  so  that  no  selector  from  £  occurs  in  more  than 
one  pair  of  the  content. 

This  definition  of  a  heap  represents  a  directed  graph  by  the  following 
correspondences:  Atomic  value  vfV  is  the  value  of  active  node  m  iff 
v€SM(m) .  There  is  a  branch  from  node  m  to  node  n  labelled  with  selector 
s  in  the  heap  iff  (s,n)€SM(m). 

The  notation  "dom  IT"  will  be  used  as  an  abbreviation  for  the  domain 
of  mapping  n,  i.e.,  the  set  (p€ J  3n€N:  (p,n)€I>. 


A 
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Nodes  appear  only  in  a  heap,  where  they  serve  in  two  capacities:  1)  as 
holders  of  atomic  values,  and  2)  as  endpoints  for  the  branches  which 
indicate  relations  among  structures  in  the  heap.  Pointers  are  atomic 
values,  which  appear  only  as  the  values  of  tokens  in  a  configuration.  As 
will  be  seen,  each  structure  operator  in  either  Lgy  or 
one  pointer  input,  and  accesses  the  content  of  one  node  in  the  heap;  that 
node  is  associated  with  that  pointer  by  the  function  TT» 

Selectors  serve  to  distinguish  among  the  several  branches  which 
relate  a  node  directly  to  other  nodes,  and  they  can  be  considered  to  name 
those  relations.  The  forms  of  selectors  should  mimic  those  actually  used 
in  programming  systems.  These  would  Include  integers  (used  to  relate 
arrays  to  sub-arrays  and  to  individual  elements,  for  example)  and 
character  strings  (used  to  name  more  general  relations.) 

The  following  defines  some  relationships  within  a  heap: 

Definition  2.2-2  For  any  active  node  m  in  a  heap: 

If  there  is  a  branch  from  m  to  n,  then  m  is  the  superior  node  and 
n  the  inferior  node  of  that  branch.  The  set  of  selectors  in  all  ordered 
pairs  in  SM(m)  is  the  set  0(m)  of  selectors  off  m.  The  successors  of  m 
are  just  those  nodes  in  ordered  pairs  in  SM(m).  For  each  ordered  pair 
(s,n)  in  SM(m),  n  is  the  s-successor  of  m. 

A  path  from  node  m  to  node  n  is  a  sequence  of  nodes  n^,  n2»...»  n^ 
such  that 

i)  nj  -  m 
ii)  nk  ■  n 

k,  n^  is  a  successor  of  nj_^. 


LgS  has  at  least 


ill)  for  i  -  2 


Node  n  is  reachable  from  node  m  iff  there  exists  a  path  from  m  to  n 
The  node  m,  together  with  all  and  only  those  nodes  reachable  from  m 
constitute  the  component  rooted  at  m. 


2.2.2  The  Data-Flow  Languages  with  Structures 

This  section  introduces  two  sets  of  structure  operators.  These  are 
defined  here  as  specific  actors  in  a  data-flow  language.  A  structure 
operator  is  fired  just  like  an  atomic  operator  from  the  basic  language 
Lg:  tokens  are  removed  from  all  its  input  arcs  and  tokens  are  placed  on 
all  its  output  arcs.  However,  while  the  output  of  an  atomic  operator  is 
a  fixed  function  of  just  its  inputs,  the  output  of  a  structure  operator 
may  depend  on  the  current  heap  as  well.  Furthermore,  the  firing  of  certain 
structure  operators  will  cause  changes  In  the  heap. 

Adding  the  two  sets  of  structure  operators  to  Lg  results  in  the 
languages  L^,  the  basic  data-flow  language  with  structures  as  values, 
and  L  .  the  basic  data-flow  language  with  structures  as  storage: 


Definition  2.2-3  is  a  data-flow  language  in  which  all  actors  are 

restricted  to  be  from  one  of  the  four  classes  of  actors  in  L  (Definition 

B 

2.1-2),  or  one  of  the  following: 

5a.  structure  operators  -  Fetch,  Const,  First,  Next,  Select,  Append, 
Remove. 

Lgg  is  a  data-flow  language  in  which  all  actors  are  restricted  to  be 
from  one  of  the  four  classes  of  actors  in  L^,  or  one  of  the  following: 

5b.  structure  operators  -  Fetch,  Assign,  First,  Next,  Select,  Copy, 

Update,  Delete.  A 


8- 
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The  graphical  representations  of  the  structure  operators  are  depicted  in 
Figure  2.2-2.  Note  that  the  Fetch,  First,  Next,  and  Select  operations  are 
common  to  both  languages.  (The  sets  of  structure  operations  in  LfiV  and 
Lgg  are  extensions  of  those  introduced  by  Dennis  in  [12]  and  [11]  respec¬ 
tively.  His  assumed  structures  in  which  a  node's  content  could  not 
contain  both  an  atomic  value  and  branches,  and  he  had  no  operations 
equivalent  to  First  and  Next.) 

Computations  (state  sequences)  are  generated  from  programs  in  both 

Sv  and 

the  state- transition  rule  has  already  been  given.  Completing  it  requires 
specifying  both  the  effect  of  firing  each  kind  of  structure  operation  and 
the  rules  for  type  compatibility!  Pointers  are  a  type  of  atomic  value 
fundamentally  different  from  non-pointers.  The  only  non- trivial  actors 
which  can  accept  pointers  as  meaningful  inputs  are  the  structure  operators 
it  is  not  possible,  e.g.,  to  perform  arithmetic  on  pointers.  The  few 
"trivial"  actors,  including  gates  and  others  to  be  introduced,  have  some 
Inputs  from  which  they  do  not  attempt  to  extract  any  meaning;  those 
inputs,  therefore,  may  be  allowed  to  be  of  either  pointer  or  non-pointer 
type.  These  actors  will  be  known  as  the  pseudo-identity  actors: 

Definition  2.2-4  A  pseudo-identity  (pi)  actor  is  any  actor  which  at  every 
firing  necessarily  outputs  tokens  with  a  value  equal  to  that  of  the  token 
removed  from  one  of  its  input  arcs  at  that  firing.  Any  input  arc  of  a 
pi  actor  whose  value  could  be  copied  to  the  actor's  output  arcs  is  a 
transmltted-input  arc  (i.e.,  the  merge  gate  is  the  only  pi  actor  with 


L__  by  the  single  standard  data-flow  interpreter.  A  portion  of 


more  than  one  transmltted-input  arc) . 


A 
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The  standard  state-transition  rule  is  completed  below  by  codifying 
the  type-compatibility  constraints  and  describing  the  effect  of  firing 
each  structure  operator  (an  Informal  discussion  of  these  operators  then 
follows) . 

Definition  2.2-5  The  state- transition  rule  of  the  standard  Interpreter 
consists  of  the  portion  found  in  Definition  2.1-5,  plus  the  following: 

3.  If  either 

a.  the  enabled  actor  d  is  not  a  structure  operator  or  a  pi  actor, 
and  there  is  some  input  arc  of  d  with  a  token  whose  value  is  a 
pointer ,  or 

b.  d  is  a  structure  operator  and  the  values  of  the  tokens  on  d's 
input  arcs  are  not  as  specified  In  Table  2.2-1  for  the  type  of  d, 

then  the  next  state  is  a  fault  state.  (The  handling  of  faults  is 
beyond  the  scope  of  this  thesis.) 

4.  Otherwise,  the  next  state  is  related  to  the  current  one  as  follows: 
a.  The  configuration  component  is  identical  except  for  the  input 

and  output  arcs  of  d.  The  input  arcs  all  have  been  emptied,  and 
the  output  arcs  all  have  had  tokens  placed  on  them.  The  value  of 
the  tokens  placed  on  the  number-2  output  arcs  is  found  by  eval¬ 
uating  the  predicate  listed  for  d  in  Table  2.2-1.  (The  Copy 
operator  is  unique  in  that  there  is  no  meaningful  predicate  to 
associate  with  it.  Hence,  both  of  its  groups  of  output  arcs  are 
data  arcs,  which  receive  Identical  output  values.)  The  value  of 
the  data  output  tokens  depends  on  d  as  follows: 
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Structure 

Operator 

Input  Values 

Output  Values 

Heap  Alterations 
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0 

Wnil 

No 
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Update 

s 

1.  p*Vp 
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3.  rf  V 

P 

0 

No 

Delete 

s 
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P 
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sf 0(m) 

No 

Copy 

s 

1.  pfV 

p 

q,  where  qfdom  n 

q 

ms 

SH'(n)  -  SM(m) 

Const 

V 

PfVp 

2.  v'f(V-V  ) U ( ni  1 ) 
_ P  - 

h 

v*nil 

Yes 

Append 

V 

1 '  P% 

2.  s(Z 

3.  rf V 

P 

sfO(m) 

Yes 

SM' (n)  = 

(v}IJB-U)(s.n(r))) 

Remove 

■ 

s(0(ra) 

Yes 

Legend  - 

(N,  H,  SM)  is  the  current  heap 
(N'f  P',  SM')  is  the  new  heap 
m  -  I1(p) 

v  is  the  unique  value  from  V-V  Ulnil) 

P 

which  is  in  SM(m) 

0(m)  *  {8 |  3n:  (s ,n) f SM(m) } 

B  *  {(s '  ,n)  |  (s'  ,n)€SM(«i)  } 

B"  -  {(s',n)|  (s’ ,n)€SM(ra)  /\  s’/s) 


Notes  - 

1.  S  =  operator  is  in  L^ 

V  =  operator  is  in  Lfiv 

2.  No  -  N’  -  N,  n’  -  n,  (Vm'*m) (SM* (»' )  -  SM(m')) 
Yes  *»  N'  ■  NUfn)  where  nfN-N, 

Vrfdora  n,  n’(r)  -  n(r),  n'(q)  -  n 
Vm’fN,  SM’(m’)  -  SM(m’) 


Specifications  of  the  Structure  Operations 


Table  2.2-1 
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Fetch,  First,  Next,  Select  -  If  the  control  output  value  is 
false,  then  the  data  output  tokens  have  the  value  undef .  Other¬ 
wise,  they  depend  on  the  current  heap  as  indicated  in  the  Table. 
Assign,  Update,  Delete  -  The  data  output  is  identically  zero. 

This  data  output  token  can  be  used  for  synchronization,  as  will 
be  seen  in  Chapter  3. 

Copy,  Const,  Append,  Remove  -  The  data  outputs  are  equal  to  q,  an 
arbitrary  pointer  not  in  the  domain  of  the  current  n. 
b.  The  new  heap  component  depends  on  d  as  indicated  in  Table  2.2-1 
under  Heap  Alterations .  These  dependencies  can  be  categorized : 
Fetch,  First,  Next,  Select  -  The  new  heap  is  identical  to  the 
old  one. 

Assign,  Update,  Delete  -  The  only  difference  is  a  modification 
in  the  content  of  the  node  m  *  n(p),  which  was  active  in  the 
current  heap. 

Copy,  Const,  Append,  Remove  -  An  arbitrary  free  node  n  is 
activated:  The  set  N  of  active  nodes  in  the  heap  is  augmented 
by  n,  the  domain  of  the  function  n  is  augmented  by  the  pointer 
q  which  is  the  data  output,  and  n(q)  =  n.  The  content  of  n  is 
a  close  derivative  of  m's  content. 

A 

Below  is  an  Informal  discussion  of  the  usefulness  of  this  particular 
selection  of  structure  operators;  following  that  is  a  formal  characteri¬ 
zation  of  the  state  of  the  interpreter  during  a  computation  sequence. 

The  decomposition  operators  —  Fetch,  First,  Next,  and  Select  —  are 
common  to  both  and  Lgg.  Fetch,  given  a  pointer  p,  outputs  the  value 


-53- 


of  the  node  m  =  n(p) .  The  First  and  Next  operators  allow  enumeration  of 
the  set  0(m)  of  selectors  labelling  the  branches  emanating  from  m.  These 
operators  sort  0(m)  according  to  the  assumed  total  ordering  <  on  the  entire 
set  Z  of  selectors:  First  outputs  the  least  selector  in  0(m),  and  Next 
inputs  one  selector  and  outputs  the  next-greater  selector  in  0(ra). 
Enumeration  is  accomplished  by  applying  First  once,  and  then  Next  repeti¬ 
tively,  until  a  false  control  output  obtains. 

The  Select  operator  inputs  a  pointer  p  and  a  selector  s  and  outputs 
a  pointer  to  the  s-successor  of  m  =  n(p)  (if  one  exists) .  The  set  of 
successors  of  m  may  be  discovered  by  applying  Select  to  each  selector  in 
the  enumeration  of  0(m) .  Recursive  application  of  this  procedure  leads  to 
the  discovery  of  all  nodes  reachable  from  m,  and  of  all  branches  between 
any  two  such  nodes.  Thus  complete  decomposition  of  any  given  component  is 
straightforward  in  both  and  L_,,. 

The  remaining  operators  in  each  language  are  its  construction 
operators .  These  are  capable  of  constructing  in  the  heap  any  arbitrary 
component.  The  operators  in  L„„  have  been  chosen  in  the  expectation  that 
most  components  constructed  will  be  very  similar  to  existing  ones.  There¬ 
fore,  each  operator  activates  a  new  node  whose  content  differs  minimally 
from  an  existing  node's  content:  Const  activates  a  node  whose  content  has 
a  given  value,  but  is  otherwise  identical  to  the  content  of  a  given  node. 
Append  activates  a  node  whose  content  is  distinguished  from  a  given  node's 
only  by  the  presence  of  a  given  ordered  pair  (and  the  consequent  absence  of 
any  other  pair  with  the  same  selector) .  Remove  is  provided  to  activate 
a  node  whose  content  is  distinguished  by  the  absence  of  any  pair  with  a 
given  selector. 
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The  structure  operations  chosen  for  L^y  have  Intentionally  been  kept 
simple,  compared  with  those  offered  in  [1]  and  [31],  which  are  oriented 
more  toward  efficiency  in  both  programming  and  implementation.  The 
advantages  of  simple  operations  are  that  (1)  they  are  formally  more  tract¬ 
able,  and  (2)  they  constitute  a  more  general  basis  for  composing  vurious 
sets  of  complex  operations. 

The  structure  operations  in  L  also  exhibit  these  advantages  to 
substantially  the  same  degree.  The  decomposition  operations  are  identical 
to  those  in  L^y.  for  every  construction  operator  in  L^y,  there  is  a  two- 
operator  combination  in  which  has  the  same  effect.  Figure  2.2-3 
illustrates  this  for  the  Const  operator:  The  Copy  operator  activates  a 


Equivalence  of  to  L^y 
Figure  2.2-3 
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new  node  n  with  a  content  identical  to  that  of  its  input  node  m.  The 
Assign  operator  modifies  the  content  of  its  input  node  n,  giving  it  a  new 
value  v'.  Thus  the  heap  is  altered  by  this  L  combination  in  exactly 

Do 

the  same  way  as  by  the  single  LD,.  operator  Const. 

BV 

The  fundamental  difference  between  L  and  L_c  is  in  this: 

DV  DO 

Is  the  content  of  a  node  altered  before  or  after  the  pointer 
to  that  node  appears  as  the  value  of  any  tokens? 

In  Lgy,  the  node  is  always  altered  before;  in  LrjS>  It  is  always  altered 
after.  This  means  that  in  an  implementation  of  Ln_,  the  physical  process 

DO 

of  constructing  a  new  component  can  be  partially  overlapped  in  time  with 
the  process  of  decomposing  that  same  component.  This  phenomenon,  which 
may  be  called  "structure  concurrency",  cannot  occur  in  L  .  As  illustrated 
by  the  example  programs  in  the  next  section,  structure  concurrency  has 
two  vital  consequences: 

1.  An  L  program  has  the  potential  for  more  concurrency,  hence  a 
shorter  minimum  execution  time,  than  an  equivalent  Lgv  program. 

2.  The  L  program  potentially  produces  the  wrong  result. 

DO 

This  section  concludes  with  a  study  of  properties  of  the  interpreter  state 
which  are  preserved  by  the  state-transition  rule. 

2.2.3  Formal  Semantics 

An  interpreter  generates  a  set  of  computations  from  a  program  P  and 
an  input  to  P  in  the  following  manner:  P  plus  its  input  establish  an 
initial  state  for  the  interpreter  according  to  some  convention.  Each 
computation  is  a  sequence  of  interpreter  states  generated  from  the  initial 
state  by  repeated  applications  of  a  state-transition  rule.  The  state- 


l 
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transition  rule  for  the  standard  interpreter  has  already  been  fully 
specified.  A  convention  by  which  a  program  together  with  an  input  to  it 
establish  an  initial  state  is  provided  below.  This  is  followed  by  a 
demonstration  that  the  state-transition  rule,  particularly  the  definitions 
of  the  structure  operations,  is  consistent  in  the  following  sense:  In  each 
state  in  a  computation  sequence,  the  second  component  of  the  state  truly 
is  a  heap,  and  each  pointer  in  the  configuration  points  to  a  node  in  the 
heap  component. 

The  initial  state  in  any  computation  sequence  in  the  standard 
interpreter  will  satisfy  the  following  specification: 

Definition  2.2-6  An  initial  state  of  the  standard  data-flow  interpreter 
for  any  program  P  is  a  pair  (r,U) ,  where 
F  is  a  configuration  of  P,  and 
u  ■  (N,  n,  SM)  is  a  heap, 
satisfying 

1.  there  are  in  T  data  tokens  on  all  program  input  arcs  of  P  and  on 
no  other  data  arcs,  and 

2.  every  pointer  which  is  the  value  of  one  of  these  tokens  is  in  the 
domain  of  IT. 

A 

An  initial  state  for  P  establishes  values  for  all  of  the  program  inputs 
to  P  by  the  following  correspondence:  If  an  input  arc  holds  a  token 
with  a  non-pointer  value,  then  the  corresponding  program  input  is  that 
value.  If  an  arc  holds  a  token  with  a  pointer  value  p,  then  the  corres¬ 
ponding  program  input  is  the  data  structure  which  is  the  entire  component 
rooted  at  IT(p) . 
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Theorem  2.2-1  Let  Sn  be  any  initial  standard  interpreter  state  for  an 
■  U  dS 

program,  and  let  S  =  (r,(N,n,SM))  be  any  final  state  in  a  sequence  derived 
from  5q  by  repeated  applications  of  the  state-transition  rule.  Then: 

A:  For  each  n€N,  and  for  any  s€Z,  (s,m)€SM(n)  =»  m€N. 

B:  There  is  a  token  with  value  pfV^  on  an  arc  in  r  only  if  p(dom  FI. 

C:  n  is  one-to-one  onto  N. 


Proof :  By  induction  on  the  length  of  the  state  sequence. 

Basis:  The  length  of  the  sequence  is  one;  i.e.,  S  *  Sq,  the  initial  state. 

(1)  (N.n.SM)  is  a  heap  and  B  Def.  2.2-6 

(2)  A  and  C  (1)+Def.  2.2-1 

Induction  step:  Assume  that  A,  B,  and  C  are  true  for  the  final  state  in 
any  sequence  of  length  n  >  0,  and  consider  a  sequence  of  length  n+1. 

Let  the  final  state  in  that  latter  sequence  be  S' . 

(3)  S'  is  derived  by  applying  the  state-transition  rule  once  to  a 

state  S ,  which  is  the  final  state  in  a  sequence  of  length  n 
Let  S  -  (r,(N,n,SM))  and  S'  «  (r' ,(N’  ,n' ,SM')) .  Let  d  be  the  enabled 
actor  chosen  to  fire  in  the  transition  from  S  to  S' .  There  are  four 
cases  to  consider,  depending  on  the  type  of  actor  d  is. 

Case  I:  d  is  not  a  Select,  Update,  or  Copy. 

(4)  n'  *  IT  and  N'  *  N,  so  n’  is  onto  N'  (3)+Def .  2.2-5+ind.  hyp.  C 

(5)  For  any  n€N',  let  (s,m)  be  any  ordered  pair  in  SM’(n).  Then  n(N 

and  (s,m)€SM(n)  (4)+Def.  2.2-5 


(6)  m€N  (5)+(3)+ind.  hyp.  A 

(7)  m€N'  (6)+(4) 


(8)  There  is  a  token  with  pointer  value  p  on  an  arc  in  F'  =•  there  is 


(25)  •  pfdom  IT  «*  p€dom  fl* 


(19)-»(3)+ind.  hyp.  B 
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Case  IV:  d  is  a  Copy 

(26)  n'  *  nU{(p,n)}  and  N'  ■  NU{n),  where  (p,n)?I7  and  ntfN,  and  p  is 

placed  on  an  output  arc  of  d  in  the  transition  Def.  2.2-5 

(27)  I)'  is  onto  N'  (26)+(3)+ind .  hyp.  C 

(28)  For  all  nVn  in  N* ,  (s  ,m)  €SM' (n')  =>  (s,m)€SM(n')  (26)+Def.  2.2-5 

(29)  =»  mCN  *»  m€N'  (26)+(3)+ind.  hyp.  A 

(30)  Let  r  be  the  pointer  value  of  the  token  removed  from  d's  input 

arc  in  the  transition.  Then  SM'(n)  ■  SM(TI(r))  Def.  2.2-5 

(31)  (s,m)€SM'(n)  =»  (s,m) €SM(TI(r))  =»  m€n  =»  m€N'  (30)+(26)+(3)+ind.  hyp.  A 

(32)  There  is  a  token  with  value  q  on  an  arc  in  T'  =»  there  is  a  token 

with  value  q  on  an  arc  in  T  or  q  ■  p  (26)+Def.  2.2-5 

(33)  There  is  a  token  with  pointer  value  q  on  an  arc  in  T  =»  q€dom  n  =» 

q€dom  17’  and  q*p  (26)+(3)+ind.  hyp.  B 

(34)  q  *  p  =»  q€dom  n'  (26) 

(35)  B  for  T*  (32)+(33)+(34) 

A 

2.3  Computations  Over  Structures 

This  section  first  presents  two  simple  data-flow  programs  with 
structures:  AlterV,  written  in  L^,  and  Alters,  written  in  L These 
will  be  used  to  illustrate  how  the  standard  data-flow  interpreter  gives 
meaning  to  programs  with  structures.  Additionally,  Alters  is  the 
simplest  program  in  which  the  phenomenon  of  structure  concurrency  is 
observed  to  cause  incorrect  results.  The  other  alleged  consequence  of 
structure  concurrency,  reduced  execution  time,  is  not  evident  in  programs 
as  small  as  these;  therefore,  this  effect  is  studied  in  a  pair  of  larger 


programs 
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2.3.1  A  Simple  LRV  Program 

Figure  2.3-1  shows  the  L Rv  program  AlterV.  This  program  has  two 
distinct  inputs.  The  X  input  must  be  a  pointer  to  a  node  in  the  heap, 
and  the  Y  input  must  be  a  non-pointer  value.  The  only  non-structure 
operator  in  this  program  is  the  constant  generator  G.  This  operator 
ignores  the  value  of  its  one  input,  which  here  is  a  program  input.  Its 
output  arcs  are  the  selector  input  arcs  of  S^,  S^,  and  A;  these  have  not 
been  connected,  to  avoid  confusion.  Each  time  G  fires,  it  places  tokens 
with  the  constant  selector  value  'next'  on  all  these  arcs. 

The  Intent  of  AlterV  can  be  understood  informally  as  follows:  The 
first  part,  consisting  of  operators  S^,  C,  and  A,  constructs  a  component 
Identical  to  that  pointed  to  by  the  X  input,  except  for  this:  The  'next'- 
successor  of  the  root  node  has  a  value  equal  to  the  Y  input.  The  program 
output  Q  is  a  pointer  to  the  root  of  this  new  component.  The  second  part 
of  the  program,  consisting  of  and  F,  fetches  the  value  of  the  'next'- 
successor  of  the  root  node  of  the  newly-created  component.  Therefore, 
the  program  output  R  should  equal  the  program  input  Y. 

Figure  2.3-2  depicts  an  initial  state  S  for  the  program  AlterV.  The 
configuration  is  shown  on  the  left,  the  heap  on  the  right.  (The  labels 
m^  and  m2  on  the  nodes  in  the  heap  are  for  reference  purposes  only.)  The 
program  input  Y  is  3.  The  program  input  X  is  a  pointer  p  to  node  in 
the  heap;  this  is  indicated  by  the  arrovs  to  m^  from  the  tokens  on  the 
program  input  arcs. 

If  the  interpreter  is  started  in  state  S,  successive  applications  of 
the  state-transition  rule  will  take  the  Interpreter  through  a  sequence  of 
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An  Initial  State  S  for  AlterV 
Figure  2.3-2 

states.  Figure  2.3-3  shows  several  states  in  this  sequence.  The  only 
actor  enabled  in  the  initial  state  is  the  constant  generator  G.  Firing 
this  places  the  selector  'next'  on  all  selector  input  arcs,  resulting  in 
a  state  in  which  only  Select  S^  is  enabled.  Firing  S^  results  in  the 
state  shown  in  Figure  2.3-3(a).  S^'s  inputs  were  a  pointer  to  and  the 
selector  'next';  its  output  is  a  pointer  to  m^*  the  ’next’ -successor  of 
m^.  Part  (b)  shows  the  result  of  firing  Const  operator  C.  A  new  node 
ng  is  activated  with  a  value  of  3.  The  Append  A  is  the  only  operator 
enabled  in  this  state;  the  state  after  it  fires  is  in  part  (c) .  A  second 
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new  node  has  been  activated.  This  node  has  the  same  content  as  m^, 
except  that  its  'next '-successor  is  instead  of  m2>  I.e. ,  the  node 
n^  is  the  root  of  a  new  component  which  differs  from  the  program  input 
only  in  the  value  of  the  'next '-successor  of  its  root.  A  pointer  to  this 
new  component  is  now  on  the  program  output  arc  Q.  Firing  the  remaining 
two  operators  results  in  the  final  state  S (Figure  2.3-3(d)).  The  value 
3  has  been  fetched  from  n2>  and  a  token  with  that  value  appears  on  the 
program  output  arc  R. 

This  example  illustrates  the  formal  derivation  of  one  possible 
outcome  for  the  given  input.  The  final  state  in  Figure  2.3-3(d)  estab¬ 
lishes  values  for  the  program  outputs  in  a  manner  analogous  to  the  estab¬ 
lishment  of  program  inputs  by  an  initial  state.  A  final  state  can  be 
found  only  by  using  the  state-transition  rule  to  generate  a  sequence  of 
states  starting  in  the  initial  state.  Determining  all  possible  outcomes 
for  a  given  input  is  ultimately  a  matter  of  generating  all  possible  state 
sequences  starting  in  all  possible  initial  states  which  establish  that 
input . 

Distinguishing  one  of  these  state  sequences  from  another  by  comparing 
graphical  representations,  like  those  in  Figure  2.3-3,  is  unworkable.  A 
convenient  abbreviation  for  a  state  sequence  is  a  firing  sequence.  This 
is  basically  the  sequence  of  the  labels  of  the  actors  fired  at  each 
state  transition.  An  entire  state  sequence  can  be  uniquely  re-constructed 
from  its  initial  state  and  its  firing  sequence,  as  in  the  following: 

Definition  2.3-1  Let  S  be  any  state  for  a  data-flow  program  P. 

Let  d  be  the  label  of  any  actor  in  P.  Then  a  firing  m  of  the  actor 
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labelled  d  (or  a  firing  of  d,  for  short)  is  defined  by 

|  d  if  the  actor  is  not  a  Copy,  Const,  Append,  or  Remove 

<P  -  ) 

(  (d,(p,n))  otherwise,  where  p  is  any  pointer  and  n  is  any  node 
A  firing  sequence  starting  in  £,  and  the  state  after  firing  sequence 
2,  5*2,  are  jointly  defined  by  the  following  recursive  rules: 

(1)  \,  the  empty  sequence,  is  a  firing  sequence  starting  in  S . 

S'\  *  S. 

(2)  Let  2*  (p^,q>2»  •  •  •  a  firing  sequence  starting  in  S ,  and  let 

d  be  the  label  of  any  actor  enabled  in  £*2.  Then 

2(p  *  <p,  ,(p_, . . .  ,(p  -  ,<p  ,  where  m  is  a  firing  of  d,  is  a  firing 

n  l  z  n-i  n  n 

sequence  starting  in  S. 

£'2cpn  is  the  state  obtained  by  applying  the  state-transition  rule 
to  S*2  with  d  as  the  enabled  actor  selected  to  fire.  If  d  is  a  Copy, 
Const,  Append,  or  Remove,  then  it  is  the  ordered  pair  (p,n)  which 
is  added  to  n. 

(3)  All  firing  sequences  starting  in  S  are  defined  by  (1)  and  (2)  above. 
Any  firing  sequence  2  is  halted  iff  no  actor  is  enabled  in  5*2. 

A 

The  only  freedom  of  choice  in  the  application  of  the  state-transition 
rule  is  in  the  selection  of: 

1.  which  enabled  actor  is  fired, 

and  if  a  Copy,  Const,  Append,  or  Remove  is  chosen, 

2.  what  pointer-node  pair  is  added  to  the  function  FI. 

Each  possible  choice  can  be  expressed  as  a  unique  firing.  Any  state  plus 
a  firing  of  an  actor  enabled  in  that  state  determines  a  unique  next  state. 
Thus  a  sequence  of  firings  starting  in  an  initial  state  uniquely 
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determines  a  sequence  of  states,  as  in  the  above  definition. 

An  initial  state  for  a  program  P  establishes  some  set  of  program 
input  values  for  P.  The  data-flow  interpreter  associates  with  each  such 
initial  state  a  set  of  possible  state/firing  sequences.  The  final  state 
entailed  by  each  such  sequence  establishes  a  set  of  program  output  values 
for  P,  at  least  if  P  is  well-behaved  [12]: 

Definition  2.3-2  A  data-flow  program  program  P  is  well-behaved  iff  the 
following  is  true  of  every  initial  state  5  for  P:  Let  £>  be  any  halted 
firing  sequence  starting  in  S  and  let  (r,U)  be  the  state  S-Q.  Then  in  T: 

1.  Every  program  input  arc  of  P  has  no  tokens  on  it. 

2.  Every  program  output  arc  of  P  has  a  token  on  it. 

3.  Every  other  arc  is  configured  exactly  as  in  S. 

A 

Thus  the  interpreter  associates  one  or  more  sets  of  output  values  with 
each  possible  set  of  input  values  for  a  program.  AlterV  is  a  program 
for  which  each  set  of  inputs  has  exactly  one  set  of  outputs  associated 
with  it.  For  the  program  Alters,  presented  next,  a  given  set  of  inputs 
may  have  many  different  sets  of  outputs  associated  with  it. 

2.3.2  The  Loc  Program  Alters 

DO 

AlterS  (Figure  2.3-4)  illustrates  the  hazards  of  structure  concur¬ 
rency.  It  is  derived  from  AlterV  by  performing  the  substitution  shown  in 
Figure  2.2-3  for  the  Const,  and  a  similar  one  for  the  Append.  It  is  argued 
at  the  end  of  Section  2.2  that  the  substituted  combinations  change  the 


heap  in  the  same  way  as  the  L  „  operators  which  they  replace.  It  is 


Figure  2.3-4 
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therefore  reasonable  to  expect  that  Alters  and  AlterV  will  always  yield 
"equal"  results  when  applied  to  the  same  input*.  ("Equality"  is  need 
here  in  an  Intuitive  aenae;  a  format  definition  la  given  in  Scot  Ion  l.1*.) 
Unfortunately,  that  is  not  the  case.  Different  firing  Nequeneea  starting 
in  the  same  initial  state  for  Alters  may  yield  unequal  final  states,  as 
ia  dcraonat rated  next. 

Tl\e  initial  state*'  la  that  ahown  in  Figure  2.1-4,  The  program 
iuputa  are  equal  to  the  Inputs  of  AlterV  In  the  initial  atate  of  Figure 
2.1-2.  Consider  flrat  the  firing  aequenee  "  C.Sj  l>, A. S^.F. 

Figure  2. '1-5  shows  the  Interpreter  atate  after  aeleeted  prefixea  ol  li.*. 

In  »'«•(* .  S  |  *  (•  |  (part  (a)  of  the  Figure),  the  output  are  of  Sj  has  a 
pointer  to  node  m^.  The  output  area  of  C  have  pointer*  to  nj,  which  la 
a  copy  of  mj  (i.e.,  ia  a  newly-activated  node  having  the  same  content  as 
m  .)  In  S ,,C,,C.,,U  (part  (h)),  a  copy  n,  ha*  been  made  of  node  m,,, 
and  the  'next '-successor  of  n^  has  been  changed  by  the  Update  to  be  it,. 

In  .'>*0,8 .  ,0,  ,C.,,U,A  (part  (o)),  the  value  of  n„  ha*  been  changed  by 
•  1  '  2 

the  Aaatgn  to  be  1.  The  program  output  arc  i)  haa  a  pointer  to  n^,  which 
la  the  root  of  a  component  differing  from  the  program  input  X  only  in 
the  value  of  the  root's  'next '-successor.  Firing  S^  and  F  fetches  the 
value  1  from  n,)t  resulting  in  the  final  atate  c’sij,  ahown  In  part  (d) . 

It  la  apparent  that  the  outputs  of  Alters  In  .‘"52*  are  equal  to  the 

r 

unique  outputs  produced  by  AlterV  for  the  same  inputs.  Conaider  however 
the  firing  sequence  .12^  -  <I,S  ^  ,Cj  In  the  state  S(  ,Cj  ,C., 

(Figure  2.1-6),  la  enabled  with  a  pointer  to  Uj  as  input.  If  S.,  la 
fired  in  this  atate,  a  pointer  to  node  m^  will  be  placed  on  F's  Input  arc. 

i 

All  selector  Inputs  ami  branch  labels  are  'next'. 
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A  State  in  an  Alternative  Sequence  for  Alters 
Figure  2.3-6 

Then  when  F  eventually  fires,  a  token  with  value  2  will  be  placed  on  the 
program  output  arc  R.  So  the  R  output  arc  has  a  token  of  value  2  in  S'SZ^ 
and  a  token  of  value  3  in  £'2^.  There  are  two  firing  sequences,  starting 
in  the  same  Initial  state  for  Alters,  which  lead  to  final  states  with 
unequal  program  outputs.  Any  program  for  which  this  may  be  true  is 
non-f unc tlonal  (this  property  is  formally  defined  in  Section  2.4).  An 

Ss 

S*2 ^  differs  from  S' 2^  because  of  the  concurrent  construction  and 
decomposition  of  the  new  component  rooted  at  n^.  In  S'G.SpCj^Cj 
(Figure  2.3-6),  n^  has  been  activated  and  there  are  pointers  to  it 
available.  During  subsequent  computation,  a  new  component  rooted  at 


program  may  be  non-functional,  but  all  programs  are  functional. 
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will  be  constructed.  There  Is  In  this  state  a  "race"  between  the 
construction  operator  combination  U-A  and  the  decomposition  combination 
S^-F.  If  the  decomposition  combination  loses  this  race,  then  It  decom¬ 
poses  the  new  component,  as  intended.  If  it  wins,  then  it  decomposes 
whatever  component  was  originally  rooted  at  n^,  which  happens  to  result  in 
outputting  2,  the  value  of  ra„. 

Thus  structure  concurrency  may  induce  non-functional  program  behavior 
(under  conditions  made  clear  in  Section  3.1.1).  A  potentially-compensating 
benefit  of  this  concurrency  is  demonstrated  in  the  next  sub-section. 

2.3.3  Analysis  of  Execution  Time 

Figure  2.3-7  shows  two  programs:  AlterV2,  written  in  ,  and  AlterS2, 
written  in  L^g.  These  programs  are  similar  to  AlterV  and  Alters.  The 
only  difference  is  in  the  level  at  which  the  output  component  differs  from 
the  input:  Each  of  these  programs  first  constructs  a  component  identical 
to  its  X  input  except  for  the  value  of  the  'next' -successor  of  the  'next'- 
successor  of  the  root.  It  then  fetches  this  value  from  the  newly- 
constructed  component.  (The  constant-selector  generator  has  been  omitted 
for  simplicity.) 

The  purpose  here  is  to  estimate  the  relative  total  elapsed  times 
required  to  execute  AlterV2  and  AlterS2.  The  analysis  is  based  on  the 
following  simplifying  assumptions: 

Assumption  2.3-1  The  time  required  to  execute  an  operation  is  one  of 
three  constant  durations,  depending  on  the  type  of  the  operation: 
a.  S  is  the  time  required  for  the  Copy,  Const,  and  Append  operations. 

Each  of  these  entails  the  following  sub-operations: 


AlterV2 


(a)  f 

The  Programs  AlterV2  and  AlterS2 
Figure  2.3-7 
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i.  Find  where  the  content  of  the  input  node  is  stored  in  the 
Structure  Memory  (SM) . 

li.  Find  an  unused  pointer  value  and  an  empty  location  in  the  SM 
for  a  new  node's  content. 

iii.  Read  the  value  and  every  ordered  pair  in  the  old  content, 

copying  it  (with  possibly  one  change)  into  the  empty  location. 

b.  P  is  the  time  required  to  execute  a  Select  or  Update.  Each  of  these 
involves  the  following  steps: 

i.  Find  the  content  of  the  input  node, 

ii.  Search  through  the  ordered  pairs  in  that  content  until  one 
with  the  given  selector  is  found, 

iii.  Either  return  this  (Select)  or  overwrite  it  (Update). 

c.  V  is  the  time  required  for  the  Fetch  and  Assign  operations.  These 
entail  the  following  sub-operations: 

i.  Find  the  content  of  the  input  node, 
ii.  Read  the  value  in  that  content,  and  return  it  (Fetch)  or 
overwrite  it  (Assign) . 

It  is  clear  that  P  5  S  and  V  s  S,  and  it  is  likely  that  V  <  P. 

A 

Assumption  2.3-2  Each  operator's  execution  starts  as  soon  as  all  of  the 
other  executions  which  must  precede  it  have  finished.  This  includes  those 
which  supply  its  Inputs,  as  well  as  those  which  must  precede  it  for  cor¬ 
rectness;  l.e.,  for  AlterS2  to  produce  the  same  result  as  AlterV2,  U^'s 
execution  must  finish  before  S^'s  starts.  Thus,  the  total  execution  time 
for  a  program  equals  the  maximum  sum  of  execution  times  for  all  sequences 
of  operators  of  the  following  form:  For  each  operator  d  in  the  sequence 
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except  the  last,  d  must  finish  executing  before  the  next  operator  in  the 
sequence  can  start. 

A 

Under  these  two  assumptions ,  the  total  execution  times  for  the  two 
programs  are  reckoned  as  follows : 

AlterV2  -  There  is  only  one  such  sequence  of  operators.  The  sum 
of  execution  times  along  it  is 
3S+4P+V 

AlterS2  -  There  are  two  maximum-execution-time  sequences: 

S,-S„-C_-U„-S.-F  and  S.-C.-U.-S.-S.-F 
12324  12134 

The  total  execution  time  along  either  is 
S+4P+V 

Thus  the  execution  time  for  AlterS2  is  2S  less  than  the  time  for  AlterV2. 

Since  this  latter  time  is  less  than  8S,  AlterS2  exhibits  a  reduction  in 

execution  time  of  at  least  25%. 

Thus  the  structure  concurrency  permitted  in  LgS  can  result  in 

significantly  faster  programs.  Unfortunately,  it  can  also  result  in 

non-functional  programs,  which  are  totally  unacceptable  in  most  computer 

applications.  This  inspires  a  search  for  a  compromise,  for  a  language  in 

which  it  is  easy  to  write  programs  which  are  functional  but  still  exhibit 

as  much  of  this  concurrency  as  possible.  L  ,  a  rich  language  for  the 

dv 

expression  of  functional  algorithms  over  structured  data,  will  be  used  as 
a  paradigmatic  source  of  functional  programs. 

Therefore,  the  primary  goal  of  the  thesis  can  be  stated  as: 
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Develop  a  language  Lp,  with  interpreter,  having  the  property 
that  any  well-behaved  L^,,  program  can  be  translated  into  an 
equivalent  Lp  program  which  has  maximal  structure  concurrency 
(the  Lgy  program  has  none). 

This  involves  four  tasks : 

1.  Formally  define  what  it  means  for  certain  programs  in  other 
languages  to  be  equivalent  to  a  given  Lgv  program  (this  is  done 
in  Section  2.4). 

2.  Develop  Lp  and  its  interpreter,  as  well  as  a  translation  to  it 
from  Lrv  (Chapter  3) . 

3.  Prove  that  the  translation  produces  an  equivalent  program 
(Chapters  4,  5,  6,  and  7). 

4.  Show  that  an  program  on  its  interpreter  is  maximally  concurrent. 

This  is  argued,  though  not  proven,  in  Chapter  8. 


2.4  Equivalence  and  Functionality 
This  section  provides  a  formal 
programs  from  different  languages . 
but  will  cover  the  case  of  programs 
every  program  in  L^y  is  functional, 
be  functional.  Therefore,  a  formal 
first. 


definition  of  the  equivalence  of  two 
This  definition  is  not  comprehensive, 
translated  from  L^y  to  Lp.  Since 
the  equivalent  Lp  program  must  also 
definition  of  functionality  is  given 
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2.4.1  Functionality 

An  intuitive  notion  of  a  functional  well-behaved  program  has  been 
presented  earlier:  one  which,  given  a  set  of  input  values,  always 
necessarily  produces  the  same  set  of  output  values.  As  has  been  pointed 
out,  an  initial  (final)  state  establishes  a  set  of  program  input  (output) 
values.  This  suggests  a  more  precise  definition  of  functionality:  Let 
and  £>2  any  two  initial  states  which  establish  the  same  set  of 
input  values.  Then  all  halted  firing  sequences  starting  in  S ^  and  S ^ 
lead  to  final  states  which  establish  the  same  set  of  output  values. 

Two  initial  states  for  a  program  which  establish  the  same  program 
inputs  can  be  characterized  thusly:  An  arc  has  a  token  on  it  in  either 
state  iff  it  is  a  program  input  arc  (because  they  are  initial  states) ; 
if  an  arc  has  tokens  in  the  two  states,  then  those  tokens'  values 
either  are  the  same  non-pointer  value  or  are  pointers  to  equal 
structures.  With  the  substitution  of  "output"  for  "input",  this  same 
statement  serves  to  characterize  final  states  which  establish  the  same 
set  of  output  values.  Both  of  these  notions  can  be  accomodated  as 
special  cases  of  the  single  more  general  concept  of  "equal  states", 
developed  next. 

Two  states  of  a  program  are  equal  iff,  for  each  arc  b  in  the  program, 
the  condition  of  b  in  one  state  matches  that  in  the  other;  i.e.,  either 
1.  b  has  no  token  in  either  state, 

or  2.  b  has  tokens  of  identical  non-pointer  values  in  the  two  states,  ^ 

\ 

or  3.  b  has  tokens  whose  values  are  pointers  to  equal  components  in 

J 


the  two  states. 
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"Pointers  to  equal  components  in  two  states"  need  not  be  identical 
pointers,  nor  need  they  point  to  identical  nodes.  For  example,  let 
5^  *  (rx,  (N^,  ni,  SM^))  be  an  initial  state,  and  let 
5 ^  *  (rlt  (N^,  n2.  SM^))  be  a  state  identical  to  that  except  that  some 
pointer  p^  in  dom  is  replaced  in  172  by  P2  not  dom  Then 

certainly  the  component  rooted  at  n2(P2)  in  S2  is  equal  to  the  component 
rooted  at  ri^tPj^)  in  S^.  Therefore,  the  program  has  the  same  inputs  in 
S2  as  in  5. . 

Since  nodes  are  only  place-holders,  uniformly  substituting  one  for 
another  in  a  heap  does  not  change  the  data  structure  represented.  For 
example,  consider  the  initial  state  for  AlterV  depicted  in  Figure  2.3-2. 
The  heap  in  that  state  is 

U1  "  <N1*  ni»  SV 

where  *  {m^,  m2> 

17^  =  {(p^.m^),  (p2,m2)}  where  p^  is  the  value  of  the  token  on  the 

X  program  input  arc 

SMl*ml^  ”  t1*  ( ’next* ,m2) } 

Sl^Cm^  -  {2} 

Replacing  node  m2  with  a  different  node  m^m^  uniformly  throughout 
yields 

U2  -  (N2,  n2,  sm2) 

where  N2  -  {n^,  m3) 

n2  -  {(p1,m1),  (p2,m3)> 

SM2(»i)  -  {1,  ( 'next' ,m3) } 

SM2(m.)  -  {2} 
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The  component  of  rooted  at  clearly  represents  the  same  structure  as 
the  component  of  rooted  at  m^.  Whenever  two  components  are  identical 
to  within  pointers  and  nodes,  they  are  equal: 


Definition  2.4-1  Let  =  (N^,  IT^,  SM^)  and  U2  *  (N2>  Ilj •  SM2)  be  two 
heaps,  and  let  I  be  any  one-to-one  mapping  from  N^  to  N2-  The  component 
of  U2  rooted  at  any  equals  under  1^  the  component  of  rooted  at 

written 


U2*m2 


U^.m^ 


iff 


1.  m2  *  I(m^) ,  and 

2.  for  each  n€N^  such  that  n  =  or  n  is  reachable  from  m^  in  U^, 

SM2(I(n))  =  l(SM1(n)) 

where  for  any  content  c  *  {v,  (s^,n^) , . . . , (s^ .n^) },  1(c)  denotes  the 
content  {v,  (s^Kn^)) , . . . ,  (s^  .Kn^))  }. 

A 

Now  the  definitions  of  matching  conditions  of  arcs  and  of  equal  states 
follow  directly: 


Definition  2.4-2  Let  5^  *  (r^,U^)  and  be  two  standard 

interpreter  states,  where  »  (N^,  n^,  SM^)  and  U2  =  (N2»  IT2 »  SM2^ *  Let 
b^  and  b2  each  be  an  arc  from  the  program  of  which  and  r2*  respectively, 
is  a  configuration.  Then  for  any  one-to-one  mapping  I:  N^  ■+  N2>  the 
condition  °f.  b  2  —  — 2  matches  under  _I  the  condition  of  b ^  ijn  S^,  written 
Match ((b2,S2),  I,  (b^)) 
iff  one  of  the  following  is  true: 

1.  There  is  no  token  on  b^  in  and  none  on  b2  in  r2* 
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2. 


3. 


There  are  tokens  with  the  same  non-pointer  values  on  in 
on  t>2  in  Tj. 

There  is  a  token  with  value  p . on  b.  in  r, ,  i“l,2,  and 

l  p  i  l 

u2.n2(P2)  -  u1.n1(p1) 


and 


Definition  2.4-3  Let  5^  and  S2  be  two  standard  interpreter  states  for  the 
same  data-flow  program  P.  Then  S 2  equals  iff  there  is  a  single  one-to- 
one  mapping  1  under  which,  for  every  arc  b  in  P,  Match( (b,^) »  1»  (b,S^)). 

A 

An  initial  state  for  a  program  P  represents  both  P  and  a  set  of 
inputs  for  P.  Equal  initial  states  represent  the  same  set  of  inputs  for 
P.  Similarly,  equal  final  states  represent  the  same  set  of  program  outputs 
for  P  (if  P  is  well-behaved) .  For  P  to  be  functional,  then,  any  two 
halted  firing  sequences  starting  in  the  same  or  equal  initial  states  must 
yield  the  same  or  equal  final  states: 


Definition  2.4-4  A  program  P  is  functional  iff  for  every  two  equal  initial 
states  for  P,  S ^  and  S2,  and  halted  firing  sequences  starting  in  S ^  ana 
fi2  starting  in  S2,  S2'Si2  equals  5^*2^ 

A 

Testing  a  program  P  for  functionality  according  to  this  definition 
is  a  complex  procedure:  every  initial  state  for  P  and  every  firing 
sequence  starting  in  it  must  be  checked.  It  is  therefore  worthwhile  to 
seek  ways  to  reduce  this  complexity;  i.e.,  a  priori  conditions  on  two 
initial  states  S ^  and  S 2  and  firing  sequences  2^  and  &2  starting  in  these 


states  which  will  guarantee  that  S2'&2  e()ua^s  S^*2^. 


^2*^2  equals  iff  one  can  be  obtained  from  the  other  by  uniformly 

replacing  certain  distinct  pointers  and  nodes  with  other  distinct  pointers 
and  nodes.  The  pointers  and  nodes  in  any  final  state  S‘Si  are  the  pointers 
and  nodes  in  S  plus  those  in  the  ordered  pairs  in  the  Copy,  Const,  Append, 
and  Remove  firings  in  Q.  Therefore,  equals  iff 

1.  ^2  is  5^  with  certain  pointers  and  nodes  uniformly  replaced  with 
others,  and 

2.  ^2  is  $2,  with  certain  pointers  and  nodes  in  the  ordered  pairs  in  the 
firings  replaced  by  others  not  in  S  . 

The  first  condition  has  been  formalized  and  abbreviated  as  "&2  ecluais 
The  second  condition  implies  that  the  particualr  pointer-node  pairs  in 
firings  in  a  firing  sequence  have  no  bearing  on  the  issue  of  functionality; 
that  is,  it  is  only  the  order  of  operator  firings  which  matters.  Removing 
the  ordered  pairs  entirely  from  a  firing  sequence  yields  what  may  be 
termed  its  reduction;  therefore,  the  second  condition  above  is  equivalent 
to  "the  reductions  of  and  are  identical."  This  may  be  further 
abbreviated  as  equals 

Definition  2.4-5  Let  S3  be  any  firing  sequence.  Then  the  reduction  of  Si 
is  obtained  from  &  by  replacing  each  firing  (d,(p,n))  with  the  firing 
which  is  just  d. 

The  reduction  of  any  firing  sequence  starting  in  a  state  S  is  a 
reduced  firing  sequence  starting  in  ■?. 

Let  and  52^  be  any  two  firing  sequences.  Then  9. ^  equals  iff  the 
reductions  of  and  are  Identical. 
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Thus  the  complexity  of  testing  for  functionality  is  reduced  by  the 
fact  that,  if  5 2  equals  5^  and  equals  then  s2'®2  etlual8 
(Theorem  5.3-1). 

Finally,  a  program  together  with  a  set  of  inputs  to  it  can  be 
associated  with  a  class  of  initial  states:  the  class  of  all  those  equal 
states  which  represent  that  program  with  those  inputs.  Any  such  class  is 
in  fact  an  equivalence  class;  i.e.,  the  "equals"  relation  between  states  is 
an  equivalence  relation.  This  is  proven  as  a  corollary  to  the  following: 

Theorem  2,4-1  The  "Match"  relation  is  symmetric  and  transitive. 

Proof:  (The  proof  of  this,  which  is  a  lengthy  but  straightforward 

manipulation  of  definitions,  has  been  removed  to  Appendix  A.) 

A 

CoyoD-sty  2.4-1  The  equals"  relation  between  states  is  an  equivalence 
relation. 

Proof :  Reflexivity: 

(1)  Let  5  m  (T.U)  be  any  state,  where  U  *  (N,J"I,SM).  Let  b  be  any  arc 

in  the  program  of  which  r  is  a  configuration.  Then  either: 
b  has  no  token  in  r  and  b  has  no  token  in  T,  or 
b  has  a  non-pointer  value  in  T  and  b  has  the  same  value,  or 
b  has  a  pointer  value  p  in  r  find  b  has  pointer  value  p,  and 

u.n(p)  i  u.n(p) 

where  I:  N  -»  N  is  the  Identity  mapping  Def.  2.4-1 

(2)  There  is  a  single  map  I:  N  N  under  which,  for  each  arc  b, 

Match((b,S),  I,  (b ,S) ) 


O)  5  equals  5 


(1) +Def.  2.4-2 

(2) -H>ef.  2.4-3 


m 
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Symmetry: 

(4)  Let  5^  and  S 2  be  two  states  for  any  program  P.  Then  S 2  equals  S ^ 

=»  there  is  a  single  mapping  I  under  which,  for  each  arc  b  in  P, 
Match((b,S2),  I,  (b.S^)  Def.  2.4-3 

(5)  =>  for  each  arc  b  in  P,  Match((b,S^) ,  I  \  (b,£2))  Thm.  2.4-1 

(6)  =»  equals  Def.  2.4-3 

Transitivity: 

(7)  Let  S^,  S2>  and  S ^  be  three  states  for  the  same  program  P.  Then  S2 

equals  and  S ^  equals  S2  =®  there  are  mappings  1^  and  I2  such 

that,  for  each  arc  b  in  P,  Match((b,S2) ,  1^,  (b,£^))  and 

Match ((b,S3),  I2,  (b,S2))  Def.  2.4-3 

(8)  =»  for  each  arc  b  in  P,  Match(  (b.S-j) ,  I2'Ii»  (b,^))  Thm.  2.4-1 

(9)  =»  Sj  equals  Def.  2.4-3 


2.4.2  Equivalence 

The  primary  goal  of  the  thesis  is  to  develop  a  language  L^  and  an 
interpreter  for  it  such  that  an  appropriate  translation  from  LflV  to  L^ 
produces  equivalent  programs.  The  purpose  of  this  section  is  to  provide 
a  meaningful  definition  of  equivalence  of  an  Lp  program  to  an  LfiV  program. 
Intuitively,  two  programs  are  equivalent  if  both  always  produce  the  same 
outputs  from  the  same  inputs.  An  initial  state  for  either  program 
represents  a  set  of  inputs  to  that  program.  It  is  necessary  now  to 
characterize  two  initial  states  which  represent  the  same  program  inputs  to 
different  programs. 

Two  Initial  states  of  the  same  program  represent  the  same  inputs  iff 
each  program  input  arc  has  matching  conditions  in  the  two  states. 
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Extending  this  to  states  of  different  programs  requires  first  establishing 
a  one-to-one  correspondence  between  their  sets  of  program  input  arcs;  then 
it  can  be  said  that  two  initial  states  represent  the  same  inputs  iff  the 
conditions  of  corresponding  program  input  arcs  match.  The  analogous 
characterization  of  equal  program  outputs  necessitates  a  one-to-one 
correspondence  between  sets  of  program  output  arcs  in  the  programs. 

When  dealing  with  single  programs  in  the  discussion  on  functionality, 
the  notions  of  equal  inputs  and  of  equal  outputs  were  generalized  to  the 
concept  of  equal  states:  Two  states  of  the  same  program  are  equal  iff 
every  arc  in  the  program  has  matching  conditions  in  the  two  states. 

Applying  this  generalization  process  to  the  case  of  two  states  of  different 
programs,  however,  is  complicated  by  the  possibility  of  syntactic  differ¬ 
ences  between  the  programs.  For  example,  substitutions  like  that  shown  in 

to  an  Lp 

program.  Thus  the  latter  will  have  extra  arcs,  such  as  that  from  the  Copy 
to  the  Assign  in  that  Figure.  Ignoring  these  arcs,  however,  there  will  be 
an  obvious  one-to-one  correspondence  between  the  sets  of  remaining  arcs  in 
the  two  programs.  This  is  a  similarity  mapping: 

Definition  2.4-6  Given  two  programs  P  and  P',  a  similarity  mapping  A  is 
a  one-to-one  map  from  the  arcs  of  P  to  the  arcs  of  P*  which  carries 
program  input  arcs  to  program  input  arcs  and  program  output  arcs  to 
program  output  arcs. 

A 

Two  states  S  and  S'  of  different  programs  can  be  considered  the  same 
if  the  conditions  of  at  least  the  similar  arcs  in  them  match.  In  this 
case,  it  will  be  said  that  S'  simulates  5: 


Figure  2.2-3  will  be  used  in  the  translation  of  an  program 


Definition  2.4-7  Let  P  and  P*  be  two  programs  with  a  similarity  mapping 
A  from  P  to  P'.  Then  a  state  S'  of  P'  simulates  a  state  S  of  P  iff  there 


is  a  single  mapping  I  such  that,  for  each  arc  b  in  P, 

Match((A(b) ,S') ,  I,  (b ,S)) 

A 

A  suitable  formal  definition  of  equivalence  of  programs  in  different 
languages  follows  directly  from  this : 

Definition  2.4-8  A  program  P'  is  equivalent  to  a  program  P  iff: 

1.  There  is  a  similarity  mapping  from  P  to  P'. 

2.  For  every  initial  state  S  of  P  and  halted  firing  sequence  £  starting 
in  S: 

for  every  initial  state  S'  for  P'  simulating  S,  and  halted 
firing  sequence  £'  starting  in  S' : 

the  final  state  S' •£'  simulates  S’£. 

A 

This  definition  is  a  weak  one,  but  it  is  strong  enough  for  the  purpose  of 
the  thesis,  which  is  again:  To  develop  a  language  L^,  with  interpreter, 
and  a  translation  from  LgV  to  which  produces  an  equivalent  program  with 
maximal  structure  concurrency.  Chapter  3  next  develops  the  new  language 
and  interpreter,  and  the  translation.  Chapters  4,  5,  6,  and  7  then  prove 
formally  that  the  translation  does  produce  an  equivalent  program  from 
any  well-behaved  L^v  program. 


Chapter  3 

Controlling  Structure  Concurrency 

This  chapter  contains  the  developments  which  meet  the  primary  goal 
of  the  thesis.  It  describes  a  language  and  an  Interpreter  for  it, 
designed  so  that  every  program  is  functional.  It  then  gives  an  algorithm 
to  translate  any  well-behaved  program  P  into  an  equivalent  program 
P'.  P'  will  exhibit  a  maximal  degree  of  structure  concurrency  (subject 
to  certain  qualifications  discussed  in  Section  8. 2. 1.4). 

The  chapter  commences  by  studying  structure  concurrency  in  LDC  on 

Bo 

the  standard  interpreter,  to  see  exactly  when  it  may  cause  non¬ 
functionality.  Section  3.2  argues  that  this  concurrency  can  be  controlled 
so  as  to  eliminate  non-functionality  through  a  combination  of  two  tech¬ 
niques.  The  first  is  to  re-write  the  program,  inserting  operators  called 
sequencers  at  critical  points.  The  second  is  to  withhold  the  pointer¬ 
valued  output  tokens  of  a  Select  firing  until  certain  existing  tokens  with 
the  same  pointer  value  have  disappeared;  this  requires  modifying  the 
standard  data-flow  interpreter.  The  language  is  just  the  set  of  LfiS 
programs  which  have  sequencers  in  the  right  places  and  satisfy  a  restric¬ 
tion  on  the  origins  of  pointer  inputs  to  Assign,  Update,  and  Delete 
operators.  Every  program  is  functional  on  the  modified  data-flow 
Interpreter.  Section  3.4  then  gives  the  translation  algorithm,  and  proves 
that  for  every  program  P,  its  translation  P'  is  in  L^,  and  that  if  P 
is  well-behaved  and  P'  is  functional,  then  P*  is  equivalent  to  P;  the 
proof  that  every  L_  program  is  functional  occupies  the  rest  of  the  thesis. 


-87- 


3.1  Interference 

It  Is  a  well-established  principle  [9]  that  the  key  to  guaranteeing 
functionality  is  preventing  interference: 


Definition  3.1-1  Given  an  initial  state  S  for  any  data-flow  program  P 
and  a  firing  sequence  $2<Pj4>2  starting  in  S ,  the  two  firings  and  <p2 
Interfere  (with  each  other)  iff: 

1.  S2<p2(Pi  is  a^so  a  firing  sequence  starting  in  S,  and 

2.  S'£!(pj4>2  and  are  not  identical  states. 


An  example  of  interference  can  be  seen  between  firings  of  the  actors 
U  and  in  Alters.  Figure  2.3-4  depicts  an  initial  state  S  for  Alters. 

One  firing  sequence  starting  in  S  is  2  ■  G,Si* Ci»C2-  In  the  state  S‘Sl 
(depicted  in  Figure  2.3-6),  both  S2  and  U  are  enabled.  Therefore,  both 
S2,S2,U  and  are  firing  sequences  starting  in  S  (since  data  flow  is 

persistent:  firing  one  actor  cannot  disable  another) .  However,  the 
states  S'-a,S2,U  (Figure  3.1-l(a))  and  S’S2,U,S2  (Figure  3.1-l(b))  are 
clearly  not  identical:  the  tokens  on  the  output  arcs  of  have  as  values 
pointers  to  different  nodes. 

The  reason  for  this  interference  is  that  firing  Update  U  changes  the 
ordered  pair  with  selector  ’next1  in  node  n^’s  content,  while  firing  Select 
S2  reads  the  ordered  pair  with  selector  ’next’  in  that  content.  Therefore, 
S2  may  or  may  not  read  the  pair  written  by  U,  depending  on  whether  or  not 
U  fires  before  it.  Because  of  this  dependence,  the  existence  of  two  firing 
sequences  in  which  S2  and  U  fire  in  a  different  relative  order  implies 
the  possibility  of  non- functionality.  This  Interference  does  not  imply 
the  necessity  of  non-functionality;  there  are  pathological  cases,  discussed 
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shortly,  in  which  it  is  harmless.  But  eliminating  all  possible  interfer¬ 
ence  is  the  easiest  way  to  guarantee  functionality.  For  this  reason,  it  is 
important  to  be  able  to  recognize  all  potential  instances  of  interference. 

The  interference  between  U  and  S2  falls  into  the  broad  category  of 
one  operator  trying  to  change  a  stored  item  and  another  trying  to  read 
that  item.  (An  item  is  either  the  value  in  a  given  node's  content  or  the 
ordered  pair  in  that  content  containing  a  given  selector.)  Interference 
can  also  occur  between  two  operators  trying  to  change  the  same  stored  item. 
For  example,  if  two  Assign  operators  d^  and  d^  are  both  enabled  in  some 
state  S'<2  with  pointers  to  a  node  n  as  inputs,  then  in  either  of  the  states 
S'&d.^  or  S"S2d2d^,  the  value  of  n  is  the  value  stored  by  the  last  of  d^ 
and  d2  to  fire.  Thus  these  two  states  are  different  (except  in  the  singu¬ 
lar  case  that  both  Assign  firings  wrote  the  same  value) .  Such  interference 
may  lead  to  non-functionality  in  one  of  two  ways: 

1.  An  fetch  of  n's  value  immediately  after  the  last  of  these  Assign 
firings  will  have  different  outputs  in  different  firing  sequences. 

2.  If  no  Assign  firing  follows  these  two,  then  different  firing 
sequences  lead  to  final  states  in  which  n  has  different  values. 

The  strategy  for  guaranteeing  functionality,  presented  in  Section  3.2,  is 
to  eliminate  all  potential  interference.  As  a  first  step,  the  above 
generalizations  are  particularized  to  L_c,  yielding  exact  conditions  under 
which  two  firings  potentially  Interfere. 

3.1.1  Potential  Interference  in  Lgg 

This  section  analyzes  the  conditions  under  which  firings  <p^  and  <p2  of 
actors  d^  and  d2  in  a  program  P  can  interfere:  what  types  of  actors  d^  and 
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must  be  and  how  the  firings'  Inputs  must  be  related.  It  assumes  the 
requisite  initial  state  5  for  P  and  firing  sequence  &p^<p2  starting  in 
such  that  Q<p2<£^  Is  also  a  firing  sequence  starting  in  5. 

Both  d^  and  d^  must  be  enabled  in  state  S’Q.  This  means  that  each 
of  them  has  tokens  on  all  of  its  input  arcs  in  that  state.  It  is  the 
fortunate  property  of  data  flow  that  nothing  can  change  the  value  of  a 
token  once  it  appears  on  an  arc.  Therefore,  the  values  input  by  firings 
and  do  not  depend  on  which  firing  occurs  first. 

If  one  of  these  actors,  say  d^,  is  not  a  structure  operator,  then 
the  only  effect  of  (p^  on  the  state  is  to  place  tokens  on  d^'s  output 
arcs.  The  values  of  those  tokens  depend  only  on  the  values  input  by  <p^. 
Therefore,  the  state  change  effected  by  cp^  does  not  depend  on  whether  or 
not  it  precedes  cp^.  Since  the  effect  of  cp^  depends  on  at  most  4)2' s 
inputs  and  the  heap,  neither  of  which  is  changed  by  4^,  it  is  independent 
of  whether  or  not  <p2  follows  <p^. 

Therefore,  for  4^  and  4^  to  interfere,  d^  and  d2  must  both  be 
structure  operators.  As  noted  in  general  earlier,  one  of  the  firings, 
say  4>2>  must  change  a  stored  item,  and  the  other  must  either  change  that 
same  item  or  output  a  value  which  depends  on  that  item.  Each  firing  of 
a  structure  operator  changes  or  depends  upon  items  wholly  within  one 
node's  content.  That  node  is  either  the  one  pointed  to  by  the  firing's 
input  or  one  activated  by  the  firing.  If  cp^  were  to  change  the  content 
of  a  node  n  which  it  activated,  then  <p^  could  not  change  or  depend  upon 
n's  content.  This  is  because  (1}  node  n  is  not  active  in  5*2,  before  4>2» 
and  so  no  token  in  that  state,  including  4>^'s  input,  has  a  pointer  to  n 
as  its  value,  and  (2)  if  <p^  also  activates  a  node,  then  that  node  is 
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necessarlly  distinct  from  n.  Therefore,  must  change  the  content  of  the 
node  pointed  to  by  its  input,  and  must  input  this  same  pointer.  This 
implies  that  d^  must  be  either  an  Assign,  Update,  or  Delete  operator. 
(Since  no  LfiV  operator  can  change  the  content  of  an  already-active  node, 
no  two  firings  of  LgV  operators  can  interfere.  Hence,  all  Lgy  programs 
are  functional.) 

From  this,  necessary  conditions  for  firings  cp^  and  to  interfere 
include:  ^ 

1.  both  are  firings  of  structure  operators,  one  an  Assign,  Update, 
or  Delete,  and 

2.  both  have  the  same  (number-1)  pointer  input. 

Certain  pairs  of  firings  cannot  interfere,  by  virtue  of  the  actions  of 

the  actors  of  which  they  are  firings.  Otherwise,  the  firings  potentially 

interfere.  The  strategy  for  precluding  actual  interference  in  this  latter 

case  is  to  insure  that  the  firings  are  sequenced  by  S’,  i.e.,  that  they 

occur  in  the  same  relative  order  in  all  firing  sequences  starting  in  5. 

This  strategy  is  explained  and  justified  shortly.  First,  the  structure 

operations  in  L  are  examined  to  see  which  ones  cannot  potentially 
fib 

interfere  with  each  other. 

The  following  observations  are  made  about  potential  interference 
between  two  firings  of  structure  operators  with  pointer  inputs 
(number-1  pointer  input  for  an  Update)  equal  to  p:  Let  m  =  n (p) . 

1.  The  Lgg  structure  operators  can  be  partitioned  into  two  classes: 
read  class  -  Fetch,  First,  Next,  Select,  Copy 
write  class  -  Assign,  Update,  Delete 
so  that  no  two  firings  of  read-class  operators  potentially  interfere. 
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2.  A  Copy  firing  potentially  Interferes  with  any  firing  of  a  write- 
class  operator,  because  the  content  of  the  node  activated  by  the 
Copy  firing  depends  on  the  entire  content  of  m. 

3.  An  Assign  firing  potentially  interferes  with  a  Fetch  or  Assign 
firing. 

4.  A  First  or  Next  firing  potentially  interferes  with  an  Update  or 
Delete  firing,  because,  the  latter  modifies  the  set  0(m)  of  selectors 
off  m.  This  has  the  following  possible  consequence:  Let  s^  be  the 
selector  input  of  a  Next  firing,  or  in  the  case  of  a  First  firing, 
let  be  a  lower  bound  of  the  selector  domain  £  with  respect  to  the 
total  ordering  <.  Let  s^  be  the  selector  which  would  be  output  by 
firing  the  First  or  Next  first.  Then  either: 

a.  a  Delete  firing  could  remove  the  ordered  pair  with  s^,  or 

b.  an  Update  firing  could  add  a  pair  with  selector  s^  such  that 

81  <  s3  <  s2 

5.  A  Select  firing  potentially  interferes  with  an  Update  or  Delete 
firing  iff  their  selector  inputs  are  the  same. 

6.  Two  Update  firings  or  an  Update  and  a  Delete  firing  potentially 
interfere  iff  their  selector  inputs  are  the  same. 

These  observations  are  summarized  in  the  following: 


Definition  3.1-2  The  read  class  of  L„„  structure  operations  consists  of 

“  ““  '  "  _  T_  ub 

Fetch,  First,  Next,  Select,  and  Copy.  The  write  class  consists  of  Assign, 
Update,  and  Delete. 

Given  an  initial  state  S  for  an  L^g  program,  and  a  firing  sequence 
2  starting  in  S,  any  two  firings  in  £  having  the  same  number-1  input 
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potentially  interfere  based  on  their  operations  and  selector  inputs, 
according  to  Table  3.1-1. 

A 

Theorem  3.1-1  Two  firings  interfere  only  if  they  potentially  interfere. 

A 

3.1.2  Determinacy 

Given  an  initial  state  S  for  a  program  P,  the  existence  of  two 
potentially-interfering  firings  <p^  and  <p  in  a  firing  sequence  starting  in 
S  does  not  necessarily  imply  that  P  is  non-functional.  P  may  still  be 
functional  for  any  of  the  following  reasons: 

1.  (Sequencing)  There  is  no  firing  sequence  2  starting  in  S  such  that 
both  £>(Pjq>2  and  Sq^fp^  are  firing  sequences  starting  in  S. 

2.  (Repetition)  There  is  such  an  2,  but  ^*S2<p1<p2  and  5''2(P2<P1  are 
identical  states.  This  may  occur  if,  for  example,  q>2  is  an  Assign 
firing  which  assigns  v  as  the  value  of  node  n,  and  either: 

a.  is  a  Fetch  firing  and  n  has  value  v  in  S'Q,  so  that  cp^ 
outputs  v  whether  or  not  <p^  precedes  it,  or 

b.  q>,  is  an  Assign  firing  which  also  assigns  value  v,  so  that  n 
has  value  v  after  both  firings  regardless  of  their  order. 

3.  (Lossiness)  <p^  and  actually  interfere,  but  the  aspects  in  which 
states  5’’&<Pjq>2  and  •S' * S2q> 2<P ^  differ  do  not  enter  into  determination 
of  the  final  state. 

Potentially-interfering  firings  in  a  firing  sequence  are  inevitable, 
for  there  is  little  purpose  in  a  firing  which  writes  an  item  into  a  node's 
content  if  no  subsequent  firing  will  ever  read  that  item.  Insuring  a 
program's  functionality  thus  necessitates  (1)  identifying  whenever  firings 
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Legend  : 

V  two  firings  of  operators  of  these  types  potentially  interfere 

*  two  firings  of  operators  of  these  types  potentially  interfere 
iff  their  selector  Inputs  are  the  same 

Interference  Potential  of  Firings  with  the  Same  Pointer  Input 

Table  3.1-1 

of  two  operators  potentially  interfere,  and  (2)  seeing  that  each  such  in¬ 
stance  does  not  induce  non-functionality,  for  one  of  the  above  three 
reasons . 

By  far  the  most  common  reason  for  functionality  is  freedom  from 
conflict.  A  conflict-free  program  is  one  in  which  every  pair  of 
potentially-interfering  firings  is  sequenced: 

Definition  3.1-3  Given  any  initial  state  S  for  a  data-flow  program  P, 
the  iC^  firing  of  actor  in  P  ia  sequenced  by  £  after  the  firing  of 


actor  iff,  for  all  firing  sequences  2  starting  in  S,  the  i^  firing 
of  in  £>  follows  the  jth  firing  of  in  2. 

A  program  P  is  conflict-free  iff  the  following  is  true  for  every 
initial  state  S  for  P  and  every  two  structure  operators  d^  and  d^  in  P: 

If  there  is  a  firing  sequence  starting  in  S  in  which  the  i^  firing  of  d^ 
potentially  interferes  with  the  j*"*1  firing  of  d^,  which  it  follows,  then 
the  i*^  firing  of  d^  is  sequenced  by  S  after  the  firing  of  d^. 

A 

Functionality  of  a  conflict-laden  program  by  virtue  of  repetition  or 
lossiness  is  pathological  and  difficult  to  verify.  Therefore,  the  strategy 
for  guaranteeing  functionality  is  to  guarantee  freedom  from  conflict. 

Lack  of  conflict  in  fact  implies  a  much  stronger  property  of  programs 
than  functionality:  determinacy .  A  determinate  program  is  one  which  not 
only  always  produces  the  same  outputs  given  the  same  inputs,  but  always 
does  so  "in  the  same  way".  This  important  concept  is  made  more  precise 
in  the  following: 

Given  a  program  P,  the  set  of  all  initial  states  which  represent  the 
same  inputs  to  P  is  an  equivalence  class  E.  Therefore,  P  is  determinate 
iff  any  two  firing  sequences  2^  and  starting  in  any  two  states  in  any 
such  E  lead  "in  the  same  way"  to  equal  final  states,  where  "in  the  same 
way"  is  defined  by  the  five  Determinacy  Assertions  discussed  in  the 
following  paragraphs. 

The  sets  of  firings  in  2^  and  £>2  must  be  the  stme,  and  each  firing 
must  have  the  same  set  of  non-pointer  Inputs  in  and 

1.  For  each  actor  d  in  P,  the  number  of  firings  of  d  in  equals  the 


number  of  firings  of  d  in 
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2.  For  any  actor  d  and  Integers  i  and  j,  the  number-i  input  to  the  jth 
firing  of  d  in  2^  is  not  a  pointer  iff  the  number-i  input  to  the  j**1 
firing  of  d  in  22  is  not  a  pointer.  Furthermore,  if  those  two  input 
values  are  not  pointers,  then  they  are  Identical. 

Since  pointer  values  are  arbitrary,  any  single  given  firing  may  have 
different  pointer-valued  inputs  in  2^  and  .  If  two  different  firings 
both  have  the  same  pointer-valued  input  in  2^»  however,  then  those  firings 
must  have  the  same  pointer-valued  input  in  22*  Put  another  way: 

3.  There  is  a  one-to-one  map  F  over  pointers  such  that  the  number-i 

input  to  the  jth  firing  of  d  in  2^  is  pointer  p  iff  the  number-i 

input  to  the  jth  firing  of  d  in  ^  F(p) . 

In  addition  to  these  constraints  on  the  value  of  an  input  to  a 
firing,  the  other  firing  from  whose  output  that  value  was  transferred  must 
be  the  same  in  2^  and  22 »  whether  the  transfer  is  direct  or  indirect. 

A  direct  transfer  occurs  via  an  arc  of  the  program:  if  the  token  removed 
from  an  input  arc  of  actor  d^  by  its  firing  was  placed  there  by  the 
k**1  firing  of  actor  d^,  then  the  value  of  that  token  was  transferred 
directly  from  the  latter  output  to  the  former  input.  Thus: 

4.  For  every  arc  b  in  P,  let  b  be  an  output  arc  of  d2  and  an  input  arc 

of  d^.  Then  the  firing  of  d^  in  S2^  removes  a  token  placed  on  b 

by  the  kth  firing  of  d2  iff  the  j1*1  firing  of  d^  in  22  removes  a 
token  placed  on  b  by  the  k^  firing  of  . 

An  indirect  transfer  of  value  v  from  the  k***1  firing  of  d2  to  the 
number-i  input  of  the  j**1  firing  of  d^  proceeds  via  the  heap,  as  follows: 
First  v  is  transferred  directly  from  the  kttl  firing  of  d^  to  the  number-2 
input  of  an  Assign  firing,  which  writes  v  as  the  value  of  a  node. 
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Subsequently,  v  is  output  by  a  Fetch  firing  F  which  is  in  the  reach  of  A. 
Then  it  is  transferred  directly  from  F's  output  to  the  number-i  input  of 

the  firing  of  d^.  The  complex  concept  of  reach  is  central  to  the 

understanding  of  the  interrelationships  between  firings  of  structure 
operators.  It  is  discussed  in  detail  in  Chapter  5;  since  the  intent  here 
is  only  to  provide  an  intuitive  introduction  to  determinacy,  the  following 
brief  explanation  of  reach  should  suffice. 

Let  A  be  any  Assign  firing  which  inputs  a  pointer  p,  and  let  n  «  n(p). 
For  any  other  Fetch  or  Assign  firing  F  in  the  same  firing  sequence,  let  q 
be  F's  pointer  input  and  let  m  =  n(q).  Then  F  is  in  the  reach  of  A  iff 
its  outputs  necessarily  depend  just  on  the  value  written  by  A;  i.e.,  iff 

a.  m  *  n  and  F  occurs  while  n  still  has  the  value  written  by  A,  or 

b.  m  is  a  copy  of  n  made  while  n  still  had  the  value  written  by  A,  and 

F  occurs  while  m  still  has  its  initial  value  copied  from  n. 

The  indirect  transfers  will  be  the  same  in  2^  and  2^  if  the  direct 
transfers  are  the  same  and 

5.  For  each  Assign  (or  Update/Delete)  firing  A,  the  reach  of  A  in  2^ 
contains  the  same  firings  as  the  reach  of  A  in  22* 

The  five  assertions  just  listed  complete  the  definition  of  a  deter¬ 
minate  program.  The  awkward  statement  of  the  definition  in  terms  of  the 
usual  model  of  data  flow  is  a  major  motivation  for  the  development,  in 
Chapter  4,  of  a  new  model  of  concurrent  computation.  This  model  permits 
a  more  precise  definition  of  reach  and  a  much  more  concise  definition  of 
determinacy,  as  will  be  seen  in  Chapters  5  and  6. 


Since  determinacy  Is  the  only  practical  path  to  functionality,  the 
primary  goal  of  the  thesis  is  refined  thusly:  Develop  a  language  and 
an  interpreter  for  it,  together  with  a  translation  algorithm  which  takes 


any  well-behaved  L„,  program  P  into  an  L  program  which,  on  the  new 
bv  d 

interpreter,  is  determinate,  equivalent  to  P,  and  maximally-concurrent . 
This  development  is  in  three  steps: 

1.  Modify  the  standard  interpreter  so  that  an  easily-recognized  class 
of  Lgg  programs  are  conflict-free  and  have  maximal  concurrency 
consistent  with  that  freedom. 


2.  Prove  that  freedom  from  conflict  guarantees  determinacy  of  a  data¬ 
flow  program,  and  that  determinacy  in  turn  guarantees  functionality. 

3.  Present  a  translation  algorithm  which  takes  any  well-behaved  LBV 
program  into  an  equivalent  L_  program. 

The  first  and  third  steps  are  undertaken  in  the  remainder  of  this  chapter; 


the  second  step  occupies  the  rest  of  the  thesis. 


3.2  Guaranteeing  Determinacy 

This  section  describes  techniques  for  eliminating  enough  structure 
concurrency  from  an  arbitrary  LgS  program  to  guarantee  its  determinacy. 

Any  data-flow  program  without  structure  operators  is  necessarily  deter¬ 
minate.  The  presence  of  structure  operators  inposes  the  following  addi¬ 
tional  requirement:  If  two  firings  potentially  interfere  in  any  firing 
sequence  starting  in  initial  state  5,  then  they  must  be  sequenced  by  S. 

The  easiest  way  to  sequence  the  i^  firing  of  d^  after  the  jth  firing 
of  d2  is  to  ensure  that  d^  is  not  enabled  for  the  ith  time  until  after  d2 
has  fired  for  the  j ^  time.  The  easiest  way  to  prevent  an  actor's  being 
enabled  is  to  deny  it  one  of  its  input  tokens.  The  only  input  common  to 
all  structure  operators  is  a  number-1  pointer  input.  Accordingly, 
techniques  are  presented  in  this  section  to: 

1.  identify  which  firings  of  which  structure  operators  in  a  program 
might  potentially  interfere  in  a  firing  sequence  2,  and 

2.  sequence  each  such  pair  of  firings,  by  withholding  the  pointer 
input  to  the  second  until  the  first  has  occurred. 

There  are  two  different  techniques  used,  depending  on  whether  the 
two  firings  are  in  the  same  blocking  group  in  2  or  in  different  ones. 
Section  3.2.1  defines  blocking  groups  and  explains  why  different 
techniques  are  appropriate  in  the  two  cases.  Sections  3.2.2  and  3.2.3 
then  describe  the  two  techniques  for  identifying  and  sequencing 
potentially-interfering  firings. 


3.2.1  Blocking  Groups 

Every  pointer-valued  token  appearing  in  a  state  can  be  traced  back  to 
a  unique  origin,  either  a  program  input  token  or  the  output  of  a  firing  of 
a  Copy  or  Select  operator.  (The  only  other  way  in  which  a  pointer-valued 
token  appears  on  an  arc  is  as  the  output  of  a  firing  of  a  pi  actor  which 
removed  an  Identical  token  from  another  arc;  such  firings  are  thought  of 
as  propagating  rather  than  creating  the  token.)  A  blocking  group  in  a 
firing  sequence  consists  of  all  firings  which  remove  pointer-valued  tokens 
having  a  common  origin.  The  origin  of  each  token  is  easily  perceived  by 
considering  the  tagged  data-flow  interpreter,  explained  below  in 
Section  3. 2. 1.1.  Section  3. 2. 1.2  then  explains  the  significance  of  two 
firings  being  in  the  same  or  in  different  blocking  groups. 

3. 2. 1.1  The  Tagged  Interpreter 

The  tagged  data-flow  Interpreter  is  Introduced  informally  here, 
purely  for  explanatory  purposes.  It  is  not  the  modified  Interpreter 
which  meets  the  goal  of  the  thesis;  that  is  defined  formally  later. 

A  state  of  the  tagged  interpreter  is  similar  to  a  standard  inter¬ 
preter  state  (Definition  2.1-3).  The  only  difference  is  that  pointers  are 
replaced  by  tagged  pointers  as  values  for  tokens .  A  tagged  pointer  is  an 
ordered  pair  consisting  of  a  pointer  p  and  a  tag  e,  which  indicates  the 
origin  of  the  token.  This  tagged  pointer  is  written  TP(p,e). 

An  initial  state  of  the  tagged  interpreter  is  one  obtained  from  an 
initial  standard  state  by  giving  each  pointer-valued  token  a  new  value, 
as  follows:  If  the  token  is  on  the  number-i  input  arc  of  the  program  and 
has  value  p,  then  its  new  value  is  TP(p,Tg(ID,i)) .  Each  firing  of  a  pi 
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actor  which  Inputs  a  token  with  a  tagged  pointer  outputs  a  token  with  the 
same  tagged  pointer.  A  firing  of  a  structure  operator  with  Input  TP(p,e) 
ignores  the  tag  e,  outputting,  in  general,  the  same  values  as  It  would  on 
the  standard  interpreter  given  just  p  as  input.  The  exception  is  that  the 
n  ^  firing  of  a  Copy  or  Select  operator  d  in  a  firing  sequence  outputs 
tagged  pointers  with  the  tag  Tg(d,n). 

There  is  a  one-to-one  correspondence  between  the  possible  sequences 
of  states  undergone  by  the  standard  interpreter  and  those  undergone  by 
the  tagged  interpreter.  For  example,  for  any  standard  state  sequence 
starting  in  an  initial  state  for  program  Alters,  the  corresponding  tagged 
state  sequence  is  given  by  the  following  algorithm: 

Replace  any  token  with  pointer  with  a  token  having  as 


value  p  appearing  on 
the  X  program  input  arc 


the  output  arc  of  S^,  i»l,2 


value  the  tagged  pointer 
TP(p,Tg(ID,2)) 
TP(p,Tg(Si,l)) 
TP(p,Tg(Ci,l)) 


the  output  arc  of  C^,  1-1,2 
Therefore,  a  program  is  determinate  on  the  tagged  interpreter  iff  it  is 
determinate  on  the  standard  interpreter. 


3. 2. 1.2  Intra-Group  versus  Inter-Group  Sequencing 

Each  firing  of  a  structure  operator  on  the  tagged  interpreter  removes 
a  token  having  a  tagged  pointer  as  value.  The  tag  identifies  the  origin 
of  the  token.  For  each  tag  e  and  firing  sequence  Q,  the  blocking  group 
8  (e)  is  the  set  of  all  firings  in  S  which  remove  tokens  with  tag  e  from 

w 

their  number-1  input  arcs  (or  more  precisely,  which  remove  tokens  with 
which  are  associated  tagged  pointers  containing  tag  e) .  For  example,  in 


any  firing  sequence  2  for  Alters,  the  firings  of  U  and  are  both  in 
Bg(Tg(C^,l)),  while  the  firings  of  A  and  F  are  in  distinct  blocking 
groups  B2(Tg(C2,l))  and  Bfi(Tg(S2,l)) . 

Two  tokens  with  the  sane  tag  have  the  same  pointer  value.  Thus,  two 
structure  operator  firings  in  the  same  blocking  group  necessarily  have 
equal  number-1  inputs.  Their  interference  potential  is  then  determined 
solely  by  their  operations  and  their  selector  inputs,  according  to 
Table  3.1-1.  The  firings  of  U  and  S2>  which  are  always  in  the  same 
blocking  group,  always  potentially  Interfere.  Since  they  are  not  sequenced 
by  any  initial  state.  Alters  is  non-determinate.  It  is  easy  to  ascertain 
syntactically  whether  or  not  firings  of  two  actors  in  a  program  can  ever 
be  in  the  same  blocking  group;  this  is  done  in  Section  3. 2. 1.3.  If  so,  the 
program  can  be  re-written  to  guarantee  that  one  of  the  actors  is  never 
enabled  with  a  given  tagged  pointer  as  input  until  the  other  one  has  con¬ 
sumed  an  identical  input.  This  is  demonstrated  in  Section  3.2.2. 

Two  firings  in  distinct  blocking  groups  may  or  may  not  have  equal 
pointer  inputs.  From  Figure  3.1-1,  the  firings  of  A  and  F  in  Alters  will 
have  equal  pointer  inputs  if  S2  fires  after  U.  I.e. ,  A  and  F  potentially 
interfere,  even  if  S2’s  firing  is  sequenced  after  U's  (Figure  3.2-1). 

Thus,  Alters  will  be  determinate  only  if  A  and  F  are  somehow  sequenced. 

But  in  a  similar  program  in  which  U  and  S2  could  have  unequal  selector 
inputs,  A  and  F  could  have  unequal  pointer  Inputs.  In  that  case,  A  and  F 
should  not  be  sequenced,  in  the  interest  of  increased  concurrency.  There¬ 
fore,  firings  in  distinct  blocking  groups  should  be  sequenced  only  if  their 
pointer  inputs  are  actually  equal.  In  general,  this  discrimination  is 


A  Further  Example  of  Interference 
Figure  3.2-1 

possible  only  through  a  "run-time”  inspection  of  these  Inputs.  This 
requires  modifying  the  interpreter,  as  described  in  Section  3.2.3. 

3. 2. 1.3  Distribution  Groups 

As  mentioned,  it  is  easy  to  identify  those  pairs  of  actors  in  a 
program  of  which  firings  can  be  in  the  same  blocking  group:  Firings  of 
two  actors  can  be  in  the  same  blocking  group  only  if  the  actors  are  in 
the  same  maximal  pointer  distribution  group,  defined  in  the  following. 

Definition  3.2-1  A  kernel  in  a  program  P  is  a  subset  K  of  the  data  arcs 
of  P  which  satisfies  one  of  the  following  two  specifications: 
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1.  For  any  i,  let  b  be  the  number-i  program  input  arc  of  P.  Then  {b} 
is  a  kernel,  the  one  denoted  K(lD,i). 

2.  For  any  actor  d  in  P,  and  for  i  *  1  or  i  -  2,  the  set 
{b|  b  is  in  the  number-i  group  of  output  arcs  of  d}  is  a  kernel, 
and  is  denoted  K(d,i). 

The  primary  input  arc  of  a  structure  operator  is  its  number-1  input 
arc;  the  primary  input  arcs  of  a  pi  actor  are  its  transmit ted-lnput  arcs. 

For  any  arc  b  in  P,  the  channels  starting  at  b  are  subsets  of  the 
data  arcs  of  P  satisfying  the  following  recursive  specification: 

1.  b  is  in  every  channel  starting  in  b. 

2.  If  b  is  an  output  arc  of  a  pi  actor  d,  then  any  channel 

containing  a  primary  input  arc  of  d  also  contains  arc  b. 

For  any  kernel  K,  the  distribution  group  for  K,  G(K) ,  is  the  set  of 
all  structure  and  pi  actors  in  P  whose  primary  input  arcs  are  in  channels 
starting  at  arcs  in  K. 

The  set  of  maximal  pointer  distribution  groups  (m.p.d.g.'s)  in  P  is 
{G(K) |  3i:  K  -  K(ID,i)  v 

3S:  S  labels  a  Select  operator  in  P  and  K  =  K(S,1)  v 

3C:  C  labels  a  Copy  operator  in  P  and  K  -  K(C,1)  or  K  •  K(C,2)} 

A 

An  m.p.d.g.  describes  a  relation  among  the  actors  in  a  program  which 
is  static,  based  only  on  the  unchanging  program.  A  blocking  group,  on 
the  other  hand,  establishes  a  dynamic  relation  among  firings  of  actors, 

( 

which  may  change  from  one  firing  sequence  to  another.  The  two  relations  ! 

are  closely  coupled,  as  shown  in 


.  --ars'i 


The  Static/Dynamic  Group  Relationship:  Given  a  firing  sequence  2  for 
program  P  on  the  tagged  interpreter,  for  every  firing  cp  in  2  of  a 
structure  operator  d  in  P,  there  is  a  tag  e  such  that  ip€B^(e) .  Also: 

1.  If  e  ■  Tg(ID,i)  for  some  i,  then  d  is  in  G(R(ID,i)). 

2.  If  e  *  Tg(S,n)  for  some  n,  where  S  is  a  Select  or  Copy  operator  in 
P,  then  d  is  in  G(K(S,1)),  if  S  is  a  Select,  or  d  is  in  G(K(S,1)) 
or  G(K(S,2)) ,  if  S  is  a  Copy. 

According  to  this  relationship,  which  is  proven  as  Lemma  3.3-1, 
firings  of  each  of  two  actors  are  in  the  same  blocking  group  only  if  the 
actors  are  in  the  same  or  closely-related  m.p.d.g.'s.  E.g.,  in  Alters  the 

firings  of  U  and  S£  are  always  in  a  common  blocking  group,  and  U  and 
are  in  the  same  m.p.d.g.  (The  reason  for  the  ungainly  separation  into  two 
m.p.d.g.'s  per  Copy  operator  will  be  explained  at  the  end  of  Section  3.3.) 

Not  all  firings  of  actors  in  one  m.p.d.g.  are  in  the  same  blocking 
group.  For  example,  if  Alters  were  embedded  in  a  loop,  so  that  each  actor 
in  it  fired  several  times  in  one  firing  sequence,  then  for  each  n,  the  only 
firings  to  input  tokens  with  tag  Tg(C^,n)  would  be  the  n^  firings  of  U 
and  S^.  Thus  the  i^  firing  of  U  and  the  j**1  firing  of  S2,  for  i* j ,  would 
be  in  distinct  blocking  groups. 

With  this  background,  it  is  easy  to  explain  the  two  techniques  for 
identifying  and  sequencing  potentially-interfering  firings:  one  for  firings 
in  the  same  blocking  group  and  the  other  for  distinct  groups. 

3.2.2  Sequencing  Within  a  Blocking  Group 

This  section  introduces  the  technique  for  identifying  and  sequencing 


every  pair  of  potentially-interfering  firings  which  are  in  the  same 
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blocking  group.  The  Identification  problem  has  already  largely  been 
solved:  A  firing  of  actor  d^  in  program  P  is  not  in  the  same  blocking 
group  as  a  firing  of  d2  unless  d^  and  d^  are  in  the  same  m.p.d.g.  Further¬ 
more,  Table  3.1-1  may  show  that  firings  of  d^  and  d2  could  never  poten¬ 
tially  Interfere.  Otherwise,  certain  pairs  of  firings  of  d^  and  d^  will 
be  in  common  blocking  groups  and  will  potentially  interfere.  Those  pairs, 
in  which  on  the  tagged  interpreter  both  firings  remove  tokens  with  the 
same  tag,  must  be  sequenced  by  every  initial  state  of  P. 

The  sequencing  problem  is  to  guarantee  that  a  certain  firing  of  d^, 
say  the  j**1,  which  removes  a  token  with  tag  e,  never  occurs  until  after, 
say,  the  1th  firing  of  d^,  which  removes  an  Identical  token.  As  mentioned 
earlier,  the  surest  solution  is  to  prevent  the  jth  appearance  of  a  token 
on  d2's  Input  arc  until  after  the  I**1  firing  of  d^  has  occurred.  This  can 
always  be  accomplished  by  re-writing  the  program,  inserting  a  sequencer 
between  d^  and  d2: 


Definition  3.2-2  An  (r-ary)  sequencer  is  an  r-ary  data-flow  operator  with 
which  is  associated  the  projection  function  P*,  defined  by 

P^(x1,x2,. ..,xr)  •  xl 


A 


Just  like  any  other  data-flow  operator,  a  sequencer  is  not  enabled  to  fire 
until  it  has  tokens  on  all  of  its  input  arcs.  When  it  fires,  it  ignores 
all  but  one  input  token,  and  places  on  its  output  arcs  tokens  Identical  to 
that  one  input  token  (which  on  the  tagged  interpreter  may  be  a  tagged 
pointer).  Therefore,  a  sequencer  is  a  pi  actor,  with  its  number-1  input 
arc  being  its  only  transmitted-input  arc. 
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The  program  Alters'  (Figure  3.2-2)  Illustrates  the  use  of  a  sequencer 
to  sequence  all  potentially-interfering  firings  of  U  and  S£  in  Alters. 
(This  figure  uses  a  graphical  convention  in  which  the  transmitted-input 
arc  of  a  sequencer  is  connected  to  its  output  arcs  through  the  actor 
symbol.)  For  each  n,  the  nC^  firing  of  Copy  on  the  tagged  interpreter 
places  tokens  with  the  unique  tag  e  =  Tg(C^,n)  on  all  output  arcs  of  C^. 
Those  tokens  will  be  input  by  the  nC^  firings  of  U  and  of  sequencer  Q. 
Tokens  with  tag  e  cannot  appear  on  other  arcs  of  the  program  until  after 
the  nth  firing  of  Q.  Q  is  not  enabled  for  the  nth  time  until  the  nth 
appearance  of  some  token  on  its  other  input  arc.  This  appearance  occurs 
as  a  result  of  the  nCl1  firing  of  U,  which  is  the  firing  of  U  which 
consumes  a  token  with  tag  e.  Therefore,  no  tokens  with  tag  e  can  appear 
on  the  input  arcs  of  any  structure  operators  other  than  U  before  that 
firing  of  U  which  consumes  a  token  with  tag  e.  Of  all  the  firings  of 
structure  operators  in  blocking  group  B^(e),  the  first  to  occur  is  the 
firing  of  U.  Therefore,  those  firings  of  U  and  which  are  in  the  same 
blocking  group  are  sequenced. 

Sequencers  can  be  used  in  this  manner  to  sequence  any  two  firings  in 
the  same  blocking  group.  Any  program  in  which,  for  every  initial  state 
S,  every  pair  of  potentially-interfering  firings  in  a  common  blocking 
group  are  sequenced  by  S  satisfies  the  Determinacy  Condition  (this 
statement  will  be  formalized  later.) 

The  example  of  Alters'  suggests  a  simplistic  algorithm  to  translate 
any 


program  into  an  L^,,  program: 
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Figure  3.2-2 
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Algorlthm  3.2-1  For  any  LfiV  program  P,  perform  the  substitutions  shown 
in  Figure  3.2-3  for  every  Const,  Append,  and  Remove  operator  in  P. 

A 

Denote  by  Lc  the  set  of  L„c  programs 

O  DO 

Lg  =  {P'  |  P'  is  the  translation  of  an  Lg^  program} 

Then  the  following  argues  informally  that  each  P'  in  L  satisfies  the 

b 

Determinacy  Condition;  a  formal  proof  is  given  in  Section  3.4. 

For  any  LgV  program  P,  let  P'  be  the  program  resulting  from  applying 
Algorithm  3.2-1  to  P.  Let  d^  and  d ^  be  two  operators  in  P'  such  that 
there  is  a  firing  sequence  S2  in  which  two  firings  of  d^  and  d^  are  in  the 
same  blocking  group  Bg(e)  and  potentially  interfere.  Then,  from 
Table  3.1-1,  at  least  one  of  the  actors,  say  d^,  must  be  a  write-class 
operator:  Assign,  Update,  or  Delete.  Since  there  is  no  such  operator  in 
any  LgV  program,  d^  must  have  been  Introduced  into  P'  by  the  translation 
algorithm.  Comparing  Figures  3.2-2  and  3.2-3,  then,  in  P'  the  operator  dj^ 
and  a  sequencer  are  connected  to  each  other  and  to  the  outputs  of  a  Copy 
operator  just  as  are  U  and  Q  in  Alters'.  Therefore,  the  conclusion  drawn 
with  respect  to  the  latter  program  applies  to  the  former:  Every  firing 
of  d^  is  sequenced  before  any  other  structure  operator  firing  which  is  in 
the  same  blocking  group.  Therefore,  any  two  firings  which  potentially 
interfere  and  are  in  the  same  blocking  group  are  sequenced.  This  is  the 
Determinacy  Condition,  and  it  holds  for  every  program  P'  which  is  the 
translation  of  any  L  .  program. 

BV 

This  completes  the  informal  explantion  of  how,  at  least  in  L 

b 

programs,  all  pairs  of  potentially-interfering  firings  in  common  blocking 
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groups  are  sequenced.  The  technique  Is  formally  verified  in 
Section  3.4.  The  next  sub-section  now  describes  a  new  technique  for 
sequencing  pairs  of  firings  from  distinct  blocking  groups,  which  is  a 
major  contribution  of  the  thesis. 

3.2.3  Sequencing  Firings  in  Distinct  Blocking  Groups 

This  section  analyzes  the  programs  in  Lg  with  the  aid  of  the  tagged 
interpreter.  The  goal  is  a  method  which  insures  the  following  for  any 
firings  sequence  2  starting  in  any  initial  state  S :  If  two  firings  which 
are  in  different  blocking  groups  in  £  potentially  interfere,  then  they 
are  sequenced  by  S.  I.e.,  for  any  two  distinct  blocking  groups  B^(e^) 
and  B^Ce^),  the  method. must  (1)  determine  which  pairs  of  firings,  one  from 
each  group,  potential*  'y  interfere,  and  then  (2)  insure  that  each  such 
pair  is  sequenced. 

The  most  straightforward  method  will  be  used,  which  is  to: 

(1)  determine  if  there  is  any  firing  in  B^(e^)  which  potentially 
interferes  with  any  firing  in  B^^),  and 

(2)  if  so,  insure  that  all  firings  in  Bg(e2)  are  sequenced,  say, 

after  all  firings  in  B^e^.  I.e.,  insure  that  in  no  firing 

sequence  S3  starting  in  S  does  a  firing  in  B^(e^)  follow  a 
firing  in  BQ(e2). 

The  next  paragraph  explains  a  general  technique  for  insuring  that  entire 
blocking  groups  are  sequenced  (step  (2)  above) .  This  is  followed  by  a 
characterization  of  those  groups  in  an  Lg  program  which  must  be 
sequenced  (according  to  step  (1)  above) . 


! 


I 
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The  one  thing  which  all  firings  In  B^ej)  have  In  common  on  the 
tagged  Interpreter  Is  that  they  remove  tokens  with  tag  e2«  None  of 
these  firings  occurs  until  after  the  first  appearance  (on  arcs  of  the 
configuration)  of  such  tokens.  Therefore,  a  simple  sequencing  technique 
is  to  insure  that  the  first  tokens  with  tag  e2  do  not  appear  on  arcs 
until  all  firings  in  Bg(e^)  have  occurred.  This  implies  directly  that 
the  first  appearance  of  a  token  with  tag  e^  (which  precedes  all  firings  in 
B^(e^))  must  precede  the  first  appearance  of  a  token  with  tag  e2>  Given 
that  the  first  tokens  with  tag  e^  have  appeared,  an  easily-implemented 
indication  that  all  firings  in  B  (e..)  have  occurred  is  the  disappearance 
of  the  last  such  token.  (This  is  because  for  all  firings  tp  in  £  except 
one,  if  (p  places  a  token  with  tag  e^^  on  an  arc,  there  must  have  been  such 
a  token  on  another  arc  for  <p  to  remove.)  These  two  observations  give 
rise  to 

The  Group  Sequencing  Technique :  For  any  firing  sequence  £,  if 

1.  the  first  tokens  with  tag  e^  appear  before  the  first  tokens 
with  tag  and 

2.  the  first  tokens  with  tag  e2  do  not  appear  while  there  are  still 
tokens  with  tag  e^  in  the  configuration, 

then  no  firing  in  precedes  a  firing  in  B^(ej). 

This  is  a  general  technique  for  sequencing  all  firings  in  one  blocking 
group  after  all  firings  in  another.  Now  a  rule  is  developed  establishing 
when  two  blocking  groups  in  an  Lg  program  should  be  so  sequenced. 

Let  d^  and  d2  be  any  two  actors  in  an  Lg  program  such  that,  in  some 
firing  sequence  £,  a  firing  of  d^  potentially  interferes  with  a  firing 
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<p„  of  d-,  and  ;.p,  and  ip2  are  In  distinct  blocking  groups  B  (e)  and  B  (e  ) . 
Then  at  least  one  of  the  actors,  say  d^,  must  be  In  the  write-class  (by 
Table  3.1-1).  Firing  removes  a  token  with  tag  e,  by  definition  of 

blocking  group.  The  following  conclusions  about  e  follow  from  the 
Static/Dynamic  Group  Relationship: 

1.  If  e  *  Tg(ID,i)  for  some  i,  then  d^  is  in  G(K(ID,i)). 

2.  If  e  *  Tg(S,n)  for  some  n,  where  S  is  a  Select  operator,  then  d^ 
is  in  G(K(S, 1) ) . 

It  has  already  been  argued  from  Figure  3.2-3  that  for  each  write-class 
operator  d  in  an  Lg  program,  the  primary  input  arc  of  d  is  an  output  arc 
of  a  Copy  operator;  i.e.,  d1  is  in  G(K(C,1))  or  G(K(C,2))  for  some  Copy 
operator  C.  Therefore,  both  1.  and  2.  above  are  contravened,  so 

the  firing  ^  of  d^  removes  a  token  with  tag  e  ■  Tg(C,n)  for 
some  n,  where  C  is  a  Copy  operator. 

Let  p  be  the  pointer  such  that  tagged  pointer  TP(p,Tg(C,n))  is  the 
value  of  that  token  removed  by  then  that  tagged  pointer  is  the  output 
of  the  n*"*1  firing  of  C.  Since  ip-  is  in  B  (e'),  it  removes  a  token  with 
tag  e';  let  p'  be  such  that  TP(p',e*)  is  the  value  of  that  token.  Then 
the  following  conclusions  can  be  drawn  about  e': 

1.  If  e'  *  Tg(C',j)  for  some  j,  where  C'  is  a  Copy,  then  p'  is  the 
pointer  output  by  the  firing  of  C' .  Since  e'^e,  this  is  not 
the  n^  firing  of  C.  Since  each  Copy  firing  in  2  outputs  a  unique 
pointer,  pVp»  But  then  and  <p2  do  not  potentially  Interfere. 

2.  If  e'  ■  Tg(ID,l)  for  some  1,  then  there  are  tagged  pointers  with 
pointer  p'  in  the  initial  state.  This  implies  that  p'  is  in  the 


initial  n,  and  hence  is  unequal  to  any  pointer  p  output  by  a  Copy 
firing  in  2. 


Therefore, 

the  firing  <pj  of  removes  a  token  with  tag  e'  -  Tg(S,j)  for  some 
j,  where  S  is  a  Select  operator. 

This  is  as  far  as  the  identification  problem  will  be  resolved. 

That  is,  the  following  will  be  assumed  as  the  answer  to  the  question  of 
which  distinct  blocking  groups  contain  potentially-interfering  firings: 

The  Potential-Interference  Assumption:  Given  a  firing  sequence  2  and  two 
distinct  blocking  groups  B^(e)  and  B^(e'),  some  firing  in  one 
group  potentially  interferes  with  some  firing  in  the  other  iff: 

1.  e  *  Tg(C,n)  for  some  n,  where  C  is  a  Copy  operator, 

2.  e'  -  Tg(S,j)  for  some  j,  where  S  is  a  Select  operator,  and 

3.  the  jth  firing  of  S  outputs  the  same  pointer  as  the  nth  firing 
of  C. 

Now  the  strategy  for  sequencing  all  potentially-interfering  firings 
in  distinct  blocking  groups  can  be  seen:  Insure  that  any  two  groups 
which  are  assumed  by  the  above  to  contain  potentially-interfering  firings 
are  mutually  sequenced  by  the  Group  Sequencing  Technique;  i.e.,  all 
firings  in  one  group  are  sequenced  after  all  firings  in  the  other.  This 
strategy  is  most  easily  implemented  by  imposing  the  following  restriction: 
The  Blocking  Discipline:  For  every  Select  operator  S,  integer  J  >  0,  and 
pointer  p,  tokens  with  value  TP(p,Tg(S,j))  do  not  appear  on  the 
output  arcs  of  S  so  long  as  any  arcs  hold  tokens  with  value 
TP(p,Tg(C,n)>  where  C  is  a  Copy  and  n  is  any  integer. 


The  effectiveness  of  the  discipline  is  readily  seen  in  the  next  paragraph; 
an  evaluation  in  terms  of  ease  of  implementation  and  unnecessary 
sequencing  of  firings  which  do  not  potentially  interfere  is  in  Chapter  8. 

Let  e  and  e'  be  any  two  tags  such  that,  in  firing  sequence  S2,  B  (e) 
and  B^(e')  should  be  mutually  sequenced,  according  to  the  strategy.  By 
the  Potential-Interference  Assumption,  one  of  the  tags,  say  e' ,  is 
Tg(S,j)  where  S  is  a  Select  operator,  e  is  Tg(C,n)  where  C  is  a  Copy,  and 
the  j**1  firing  of  S  outputs  the  same  pointer  p  as  the  nth  firing  of  C. 
Since  the  node  to  which  p  points  is  activated  by  the  Copy  firing,  the 
Select  firing  could  not  have  output  p  before  that  firing.  I.e.,  the 
output  tokens  of  the  Copy  firing,  which  are  the  first  to  appear  with  tag 
Tg(C,n) ,  appear  before  the  output  tokens  of  the  Select  firing,  which  are 
the  first  with  tag  Tg(S,j).  By  the  Group  Sequencing  Technique,  then, 

B^(e)  and  B^(e')  will  be  mutually  sequenced  if  the  output  tokens  of  the 
Select  firing  do  not  appear  while  there  are  tokens  with  tag  Tg(C,n)  on 
any  arcs.  The  former  tokens  appears  on  S's  output  arcs,  and  have  value 
TP(p,Tg(S, j)) .  The  latter  tokens  all  have  value  TP(p,Tg(C,n)) .  Therefore 
B^(e)  and  B^(e')  will  be  mutually  sequenced  if  no  tokens  with  value 
TP(p»T8(S,J))  appear  on  S's  output  arcs  so  long  as  any  arc  holds  a  token 
with  value  TP(p,Tg(C,n)) .  This  will  be  the  case  under  the  Blocking 
Discipline. 

Enforcing  the  Blocking  Discipline  requires  comparing,  at  every  Select 
firing,  the  output  produced  by  that  firing  against  the  values  of  all 
pointer -valued  tokens  existing  in  the  configuration.  It  may  be  discov¬ 
ered  at  the  j**1  firing  of  Select  S  that  its  output  tokens,  which  have 


f 
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value  TP(p,Tg(S,j)) ,  cannot  be  placed  on  S's  output  arcs  immediately 
(because  a  token  with  value  TP(p,Tg(C,n))  was  found).  In  this  case,  the 
label  S  will  be  placed  In  a  pool,  which  is  separate  from  the  configuration 
and  heap  of  the  state  and  is  associated  with  pointer  p.  S  will  be  removed 
from  this  pool,  and  tokens  of  value  p  placed  on  the  output  arcs  of  the 
actor  labelled  S,  after  the  last  tokens  with  value  TP(p,Tg(C,n))  disappear 
from  the  configuration.  Incorporating  an  optimized  version  of  this  mech¬ 
anism  into  the  standard  data-flow  interpreter  yields  the  modified  data¬ 
flow  interpreter,  described  in  the  next  section.  First  it  is  briefly 
demonstrated  that  this  mechanism  does  insure  the  sequencing  of  every  pair 
of  potentially-interfering  firings  in  Alters1  (on  the  tagged  interpreter). 

It  has  already  been  argued  that  the  potentially-interfering  firings 
of  U  and  S2>  which  are  always  in  the  same  blocking  group,  are  sequenced 
on  any  data-flow  interpreter.  The  only  other  potentially-interfering 
firings  in  Alters'  are  of  A  and  F.  In  any  firing  sequence  2,  these 
firings  are  in  the  distinct  blocking  groups  Bffi(Tg(C2,l))  and  B^dg^.l)) , 
respectively.  Both  firings  input  the  pointer  p  which  points  to  node  n2 
(Figure  3.2-1).  That  pointer  is  output  first  by  the  firing  of  C2«  That 
firing  places  tokens  with  value  t  -  TP(p,Tg(C2,l))  on  C2's  output  arcs, 
which  enables  A,  before  S2  fires.  If  A  fires  before  S2,  then  certainly 
A  fires  before  F.  If  S2  fires  before  A,  then  there  will  still  be  tokens 
with  value  t  on  some  arcs  (A's  input  arc).  By  the  Blocking  Discipline, 
the  tokens  produced  by  that  firing  of  S2>  which  have  value  TP(p,Tg(S2,l)) , 
cannot  be  placed  on  S2's  output  arcs  lmedlately.  Instead,  the  label  S2 


i 
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will  be  placed  in  a  pool  associated  with  p,  until  such  time  as  A's  firing 
removes  the  last  token  with  value  t.  After  that,  the  label  will  be 
removed  from  the  pool,  and  tokens  with  value  TP(p,Tg(S2,l))  will  be 
placed  on  output  arcs. 

Therefore,  even  if  S£  fires  before  A,  its  output  tokens  will  not  be 
available  to  enable  F  until  after  A  fires.  Thus,  F  always  fires  after  A. 
So  under  the  Blocking  Discipline,  all  pairs  of  potentially-interfering 
firings  in  Alters'  are  sequenced;  i.e.,  the  program  is  determinate. 

The  only  language-dependent  feature  which  enters  into  the  argument 
in  support  of  the  Blocking  Discipline  is  what  may  be  termed 
The  Read-Only  Condition:  Every  write-class  operator  is  in  one  of  the 
m.p.d.g.'s  G(K(C,1))  or  G(K(C,2))  where  C  is  a  Copy  operator. 
Therefore,  in  any  program  P  which  satisfies  the  Read-Only  Condition, 
every  two  potentially-interfering  firings  in  distinct  blocking  groups 
are  sequenced  by  the  Blocking  Discipline.  If  P  also  satisfies  the 
Determinacy  Condition,  then  every  two  potentially-interfering  firings  in 
the  same  blocking  group  are  sequenced.  Therefore,  denoting  by  Lp  the 
subset  of  Lgg  consisting  of  the  programs  which  satisfy  both  Conditions, 
every  program  in  is  determinate  under  the  Blocking  Discipline.  The 
development  of  the  language  and  the  modified  interpreter,  which  are 
formally  defined  next,  has  met  part  of  the  goal  of  the  thesis;  the 
translation  from  L^y  to  given  in  Section  3.4  satisfies  the  remainder. 
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3.3  The  Language 

Section  3.3.1  precisely  defines  the  modified  interpreter  and  the 
Read-Only  Condition.  Section  3.3.2  then  gives  a  definition  of  blocking 
group  which  is  valid  on  any  interpreter,  and  the  detailed  Determinacy 
Condition. 

3.3.1  The  Modified  Data-Flow  Interpreter 

The  modified  interpreter  is  basically  just  the  tagged  interpreter 
with  the  Blocking  Discipline  imposed.  Two  optimizations  are  made,  however. 
These  are  motivated  in  the  first  sub-section  below.  Following  that  are 
full  definitions  of  the  state  and  the  state-transition  rule  of  the 
modified  data-flow  interpreter. 

3. 3. 1.1  Optimizations 

The  only  information  in  a  tag  which  is  needed  to  enforce  the  Blocking 
Discipline  is  whether  or  not  the  label  in  the  tag  is  the  label  of  a  Copy 
operator.  It  is  sufficient,  then,  that  all  the  tagged  pointers  ever 
appearing  in  a  configuration  be  distinguishable  into  two  classes:  those 
which  were  output  by  Copy  firings  and  those  which  were  not.  Therefore, 
the  first  optimization  is  to  replace  tagged  pointers  with  read  pointers 
and  write  pointers: 

Definition  3.3-1  A  read  pointer  is  an  ordered  pair  (p,R)  where  p  is  a 
pointer.  A  write  pointer  is  an  ordered  pair  (p,W)  where  p  is  a  pointer. 

A 
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An  initial  state  of  the  modified  interpreter  has  no  write  pointers  in  it. 
Select  firings  always  output  read  pointers,  and  write  pointers  are  output 
only  by  Copy  firings. 

Under  the  Blocking  Discipline,  for  any  two  tags  e  ■  Tg(C,n),  where 
C  is  a  Copy,  and  e'  *  Tg(S,j),  where  S  is  a  Select,  and  for  any  firing 
sequence  &,  if  the  j**1  firing  of  S  outputs  the  same  pointer  as  the  n*”*1 
firing  of  C,  then  all  firings  in  B^(e')  are  sequenced  after  all  firings  in 

B  (e).  By  the  Static /Dynamic  Group  Relationship,  all  firings  in  B  (e1) 

Sc  S2 

are  of  operators  in  the  m.p.d.g.  G(K(S,1)).  By  the  Read-Only  Condition, 
all  of  these  firings  are  of  read-class  operators.  Therefore,  none  of 
them  potentially  interferes  with  any  read-class  firings  which  may  be  in 
B  (e).  I.e.,  it  is  necessary  only  that  the  firings  in  B  (e')  be 

ub  db 

sequenced  after  all  the  write-class  firings  in  B  (e) ;  sequencing  them 
after  the  read-class  firings  as  well  entails  an  unnecessary  loss  of 
structure  concurrency. 

This  can  be  corrected  by  allowing  a  firing  of  C  to  place  read  pointers 
in  those  channels  which  lead  only  to  read-class  operators.  Then  the  only 
firings  in  B^(e)  guaranteed  to  have  write  pointers  as  inputs  are  the 
write-class  firings  (by  a  refined  version  of  the  Static/Dynamic  Group 
Relationship,  proven  as  Lemma  3.3-1).  So  the  disappearance  of  the  last 
such  write  pointer  is  a  signal  only  that  all  write-class  firings  in  B  (e) 

db 

have  occurred.  There  may  still  be  read-class  firings  in  B  (e)  which  have 

db 

not  occurred;  the  Blocking  Discipline  will  not  sequence  these  with  respect 
to  any  of  the  firings  in  B  (e'). 

db 
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Accordingly,  on  the  modified  interpreter,  the  two  groups  of  output 
arcs  of  a  Copy  operator  C  will  get  slightly  different  tokens:  Every  firing 
of  C  places  write  pointers  (p,W)  only  on  its  number-1  output  arcs,  while 
placing  read  pointers  (p,R)  on  its  number-2  output  arcs.  Additionally, 
the  Read-Only  Condition  is  refined: 

Definition  3.3-2  An  Lgg  program  P  satisfies  the  Read-Only  Condition  iff 
for  every  write-class  operator  d  in  P,  d  is  in  the  m.p.d.g.  G(K)  only  if 
K  *  K(C,1)  for  some  Copy  operator  C. 

A 

3. 3. 1.2  The  Modified  State 

A  state  of  the  modified  data-flow  interpreter  differs  from  a 
standard  interpreter  state  in  two  regards.  First  is  the  replacement  of 
simple  pointers  in  the  configuration  by  read  and  write  pointers: 

Definition  3.3-3  A  modified  configuration  of  a  data-flow  program  P 
consists  of: 

1.  P,  plus 

2.  an  association  of 

1.  a  non-pointer  value,  or 
ii.  a  read  pointer  or  a  write  pointer,  or 
ill.  the  symbol  null 
with  each  data  arc  of  P,  plus 

3.  an  association  of  a  symbol  from  the  set  {true,  false,  null)  with 
each  control  arc  of  P. 


A 
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The  second  distinctive  feature  of  a  modified  state  is  a  third 
component,  containing  the  pools  of  labels  of  Select  operators  whose  output 
tokens  are  being  withheld. 

Definition  3.3-4  A  modified  interpreter  state  is  an  ordered  triple 
(r.U.Q)  where 

T  is  a  modified  configuration 

U  is  a  heap  (Definition  2.2-1),  and 

Q:  V  -+  2L 
P 

is  the  pool  component ,  which  associates  set  of 
actor  labels  with  certain  pointers. 

A 

As  mentioned,  only  read  pointers  appear  in  an  initial  state  of  the 
modified  interpreter: 

Definition  3.3-5  A  modified  state  (T,U,Q)  is  an  initial  modified  state 
for  program  P  iff: 

1.  there  is  an  initial  standard  state  (r',U)  for  P  such  that  r  is  r' 
with  each  pointer  p  which  is  associated  with  an  arc  replaced  by 
the  read  pointer  (p,R),  and 

2.  Q  is  empty. 

A 

Clearly  there  is  a  one-to-one  correspondence  between  initial  standard 
states  and  initial  modified  states. 
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3. 3. 1.2  The  Modified  State-Transition  Rule 

The  state-transition  rule  for  the  modified  interpreter  differs  from 
that  for  the  standard  interpreter  in  two  relatively  minor  regards:  (1)  all 
pointer  inputs  and  outputs  of  a  structure  operator  are  read  and  write 
pointers,  and  (2)  the  appearance  of  the  output  tokens  of  a  Select  firing 
may  be  delayed,  in  accordance  with  the  Blocking  Discipline.  In  addition, 
the  enabling  conditions  for  an  actor  to  fire  must  be  augmented  to 
disallow  enabling  a  Select  whose  output  tokens  are  being  withheld. 

Definition  3.3t6  Given  a  modified  interpreter  state  (I\U,Q) ,  any  actor 
d  in  T  is  enabled  (to  fire)  iff 

1.  the  distribution  of  tokens  on  d’s  input  and  output  arcs  in  T  matches 
the  enabled  condition  for  d,  according  to  Definition  2.1-4,  and 

2.  if  d  is  a  Select  operator,  there  is  no  pointer  p  such  that  d€Q(p). 

A 

The  strong  connection  between  the  standard  and  the  modified  state- 
transition  rules  is  made  most  evident  if  these  are  treated  as  state- 
transition  functions.  That  is,  the  standard  rule  may  be  considered  to 
define  two  functions  from  the  current  state  and  an  actor  enabled  in  it  to 
the  new  standard  state: 

Definition  3.3-7  The  standard  state-transition  functions 
Standardp((r,U) ,d)  and  Standardy((r,U) ,d) 
are  defined  for  any  standard  state  (r,U)  and  any  actor  d  enabled  in  T. 
Their  values  are  the  configuration  and  heap,  respectively,  of  the  new 
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state  derived  by  applying  the  standard  state-transition  rule  to  (T,U) 
with  d  chosen  as  the  actor  to  fire. 

A 

These  functions  cannot  be  used  directly  for  the  modified  interpreter, 
because  they  are  not  defined  when  a  structure  operator's  input  is  a  read 
or  a  write  pointer.  This  incompatibility  is  rectified  by: 

Definition  3.3-8  The  function 

Strip(r.d) 

is  defined  for  any  modified  configuration  T  and  actor  d  in  T  to  be 
identical  to  r,  except  that  if  d  is  a  structure  operator,  each  input  token 
of  d  which  has  value  (p,R)  or  (p,W)  is  replaced  by  a  token  with  value  p. 

A 

Now  Standard^  (Strip(T,d) ,U) ,d)  and  Standardy((Strip(r,d) ,U) ,d)  are 
defined  for  any  modifed  state  (r,U,Q)  and  actor  d  enabled  in  T. 

Obeying  the  Blocking  Discipline  optimally  requires  a  two-step  state 
transition.  In  the  first  step,  an  enabled  actor  d  1b  fired:  The  approp¬ 
riate  tokens  are  removed  from  its  input  arcs,  and,  if  it  is  not  a  Select, 
the  appropriate  tokens  are  placed  on  its  output  arcs,  exactly  as  in  the 
standard  interpreter  (except  for  the  R  and  W  tags  in  pointers) .  If  d 
labels  a  Select,  however,  then  the  label  d  is  placed  in  the  pool  Q(p), 
where  p  is  the  pointer  which  this  firing  would  have  output  on  the  standard 
Interpreter.  The  result  of  applying  this  first  step  to  modified  state 
(r.U.Q)  and  enabled  actor  d  will  be  denoted  Fire((r,U,Q),d). 
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The  second  step  Is  to  release  any  Select  output  tokens  which  can  now 
be  allowed  to  appear  on  arcs  of  the  configuration.  The  decision  on 
whether  to  place  tokens  of  value  (p,R)  on  any  arcs  is  based  on  the  presence 
or  absence  of  any  tokens  with  value  (p,W).  If  there  are  none,  then  tokens 
with  value  (p,R)  are  placed  on  all  the  data  output  arcs  of  the  Selects 
labelled  by  all  the  labels  in  the  pool  Q(p) .  The  result  of  applying  this 
second  step  to  any  modified  state  (T.U.Q)  will  be  denoted  Release(( T.U.Q) ) . 
Therefore,  the  overall  state-transition  function  for  the  modified  inter¬ 
preter  is  Release(Fire((r,U,Q) ,d)) .  The  reason  for  a  two-step  transition 
is  a  subtle  one,  and  will  be  given  after  the  following  precise  statement 
of  the  rule: 

Definition  3.3-9  The  state-transition  rule  for  the  modified  data-flow 
interpreter  is: 

Given  a  state  (T,U,Q)  in  a  state  sequence,  each  possible  next  state  in  the 
sequence  is  found  by: 

1.  Choose  one  actor  d  enabled  to  fire  in  T. 

2.  The  next  state  is  then  Release(Fire( (r,U,Q) ,d) ) ,  where  the 
functions  Fire  and  Release  are  defined  below. 

Let  rs**Standardr((Strip(r,d) ,U) ,d)  and  Us»Standardu((Strip(r,d) ,U) ,d) . 
Fire((r,U,Q) ,d)  is  defined  by: 

1.  If  d  is  not  a  Copy  or  a  Select  operator,  then 

Fire((r,U,Q) ,d)  -  <rs,Us,Q) 

2.  If  d  is  a  Copy  operator,  let  pointer  p  be  the  value  of  the  tokens 
on  d's  data  output  arcs  in  Fg.  Let  f'  be  Tg  with  the  tokens  on  d's 


I 
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number-1  output  arcs  having  value  (p,W)  and  the  tokens  on  d's 
number-2  output  arcs  having  value  (p,R).  Then 
Fire((r,U,Q) ,d)  -  (T'.Ug.Q) 

3.  If  d  is  a  Select  operator: 

a.  If  the  value  of  the  tokens  on  d's  output  arcs  in  is  undef,  then 

b  ' 

Fire((I\u,Q),d)  -  (Tg.Ug.Q) 

b.  Otherwise,  let  pointer  p  be  the  value  of  the  tokens  on  d's  data 

output  arcs  in  Fg.  Let  r'  be  Tg  with  these  tokens  removed,  and 

let  Q'  denote  the  function 

(  Q(r)  if  r  *  p 

Q’(r)  -  { 

(  Q(p)U{d>  if  r  -  p 

Then 

Fire((r,U,Q) ,d)  -  (r'.Ug.Q') 

Release((r,U,Q))  «  (r",U,Q")  where  F"  and  ;Q"  are  identical  to  r  and  Q 
except  that: 

For  any  pointer  p  such  that  Q(p)  is  non-empty  and  there  are  no  tokens 
with  value  (p,W)  in  T, 
for  all  c€Q(p), 

r"  has  tokens  of  value  (p,R)  on  all  of  c's  data  output  arcs, 
and  Q"(p)  is  the  empty  set. 

Under  this  rule,  no  tokens  with  value  (p,R)  appear  on  the  output  arcs  of  a 
Select  operator  except  as  they  are  released  during  the  second  step  of  some 
state  transition.  Since  this  never  occurs  while  there  are  any  tokens  with 
value  (p,W),  the  Blocking  Discipline  is  obeyed. 
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It  will  be  noted  that  the  decision  to  release  tokens  at  the  second 
step  of  a  transition  Is  based  on  the  configuration  after  the  first  step. 

As  will  be  seen  In  Section  8.2,  this  two-step  transition  is  easier  to 
implement  than  a  single-step  transition.  The  only  semantic  significance 
arises  in  the  case  that  a  Select  firing  <p  inputs  the  value  (p,W)  and 
outputs  the  value  (p,R).  (This  implies  that  there  is  a  branch  from  the 

notje  pointed  to  by  p  to  itself;  this  is  valid  in  the  heaps  defined.) 

\ 

If  the  token  removed  by  <p  is  the  only  one  with  value  (p,W),  then  the 
output  tokens  of  <p  will  be  released  at  the  second  step  of  the  same  trans¬ 
ition.  If  the  transition  were  made  in  one  step,  however,  the  decision 
to  release  the  tokens  could  be  based  only  on  the  configuration  before  the 
entire  transition.  Then  there  would  be  no  choice  but  to  withhold  them 
until  the  following  transition.  Thus  the  two-step  transition  is  easier 
to  implement  and  may  give  rise  to  increased  concurrency. 

This  completes  the  formal  specification  of  the  modified  interpreter 
embodying  the  Blocking  Discipline.  It  is  proven  in  the  next  four 
chapters  that  any  program  satisfying  both  the  Determlnacy  Condition 
and  the  Read-Only  Condition  is  determinate  on  the  modified  interpreter. 

The  Read-Only  Condition  has  already  been  stated  precisely.  Now  the 
Determlnacy  Condition  and  the  concept  of  blocking  groups  are  defined  for 
programs  run  on  the  modified  interpreter. 

3.3.2  The  Determlnacy  Condition 

Blocking  groups  were  introduced  on  the  tagged  interpreter.  Each 
group  was  associated  with  a  tag  uniquely  denoting  a  program  input  arc  or  a 
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Copy  or  Select  firing.  On  that  interpreter,  each  pointer-valued  token 
removed  by  a  firing  had  one  of  these  tags,  and  the  firing  was  in  the 
blocking  group  for  that  tag.  But  these  Cumbersome,  if  convenient, 
tags  have  been  eliminated  from  the  modified  interpreter.  Therefore,  the 
concept  of  tag-bearing  tokens  is  abstracted  away  from  the  concept  of 
blocking  group  in  the  following  definition.  At  the  same  time,  blocking 
groups  are  sub-divided  to  reflect  the  slight  difference  between  the 
number-1  and  number-2  outputs  of  a  Copy  on  the  modified  interpreter; 
the  utility  of  this  will  be  seen  shortly. 

Definition  3.3-10  (Blocking  groups)  For  any  firing  sequence  2,  starting 
in  any  initial  state  for  any  program  P,  denote  by  PRF(S2)  the  set  of 
firings  cp  in  ft  satisfying  one  of  the  following: 

a.  cp  is  a  firing  of  a  structure  operator  in  P,  or 

b.  tp  is  a  firing  of  a  pi  actor  in  P  from  a  transmit ted-input  arc  of 

which  cp  removes  a  read  or  a  write  pointer. 

The  set  of  sub-blocking  groups  in  ft  is  a  partition  of  PRF(ft) .  The  partic¬ 
ular  sub-blocking  group  containing  any  given  firing  cp  of  an  actor  d  is 
determined  from  the  primary  input  arc  b  of  d  as  follows: 

1.  If  b  is  the  i1*1  program  input  arc  of  P,  then  cp  is  in  just  the  sub¬ 
blocking  group  denoted  by  SB  (ID,i). 

OV 

2.  If  b  is  a  data  arc  in  the  number-i  group  of  output  arcs  of  a  Copy 

or  Select  operator  d',  then  cp  is  in  just  SB  (d',n,i),  n  being  such 

that  the  token  removed  from  b  by  cp  is  the  n^  to  appear  on  b  in  ft. 
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3.  If  b  Is  an  output  arc  of  a  pi  actor  d',  then  <p  is  in  the  same  sub¬ 
blocking  group(s)  as  the  firing  of  d'  which  placed  on  b  the  token 
removed  by  <p. 

Finally,  the  blocking  groups  in  2  are  given  by: 

1.  For  all  i,  the  blocking  group  denoted  by  B  (ID,i)  is  just  SB  (ID,i). 

uu  Ob 

2.  For  any  Select  operator  S  and  for  all  n,  the  blocking  group  denoted 
by  Bc(S,n)  is  just  SB^S.n.l). 

3.  For  any  Copy  operator  C  and  for  all  n,  the  blocking  group  denoted 
by  B^fC.n)  is  SB^CC.n.DUSB^CC.n^) . 


With  the  substitution  of  "tagged  pointer"  for  "read  or  write  pointer", 
this  definition  gives  the  same  set  of  blocking  groups  for  a  firing 
sequence  on  the  tagged  interpreter  as  did  the  earlier,  informal  one. 
Now  the  Determlnacy  Condition  can  be  made  precise: 


Definition  3.3-11  A  program  P  satisfies  the  Determlnacy  Condition  iff 
the  following  is  true  for  every  pair  of  distinct  structure  operators 
d^  and  dj  in  P  and  every  initial  state  S  for  P:  Let  2  be  any  firing 
sequence  starting  in  S  in  which  the  i**1  firing  of  d^  and  the  j**1  firing 
of  are  in  a  common  blocking  group  and  potentially  interfere.  For  any 
other  firing  sequence  2'  starting  in  any  state  equal  to  5,  the  lt(l  firing 
of  and  the  j**1  firing  of  dj  appear  in  the  same  relative  order  in  2' 
as  in  2. 


With  this,  the  language  is  fully  specified: 
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Deflnltion  3.3-12  The  determinate  8 true ture-aa-s to rage  data-flow  language , 
Lp,  consists  of  those  LgS  programs  which  satisfy  both  the  Determinacy 
Condition  and  the  Read-Only  Condition. 

A 

A  syntactic  characterization  of  all  programs  which  satisfy  the 
Determinacy  Condition  has  yet  to  be  found.  It  is  known  that  the  complex¬ 
ity  of  any  such  characterization  is  reduced  by  the  fact  that  if  firings 
of  two  actors  are  in  a  common  sub-blocking  group,  then  the  actors  are  in 
the  same  m.p.d.g.  This  follows  from  the  Static/Dynamic  Group  Relationship, 
a  comprehensive  version  of  which  can  now  be  proven  formally: 

Definition  3.3-13  An  Lfis  program  P  satisfies  the  Static/Dynamic  Group 
Relationship  iff  for  every  firing  sequence  Q  starting  in  any  initial  state 
5  for  P,  A  and  B  below  are  true  for  every  firing  <p  in  PRF(&) .  Let  d  be 
the  actor  of  which  <p  is  a  firing,  and  let  v  be  the  value  removed  by  <p  from 
d's  primary  input  arc. 

A:  Exactly  one  of  the  following  two  statements  is  true  of  <p: 

1.  There  is  exactly  one  Integer  i  such  that  <p  is  in  SB  (ID,i),  d  is 

wfa 

in  G(K(ID,i)),  and  there  is  a  token  of  value  v  on  P's  number-i 
program  input  arc  in  S. 

2.  There  is  exactly  one  Copy  or  Select  operator  S  in  P,  and  exactly 
one  Integer  n  and  one  integer  i,  such  that  cp  is  in  SB^(S,n,i), 

d  is  in  G(K(S,1)),  the  n**1  tokens  to  appear  on  S's  number-1 
group  of  output  arcs  in  2  have  value  v,  and  that  appearance  does 
not  follow  the  appearance  of  the  token  removed  by  <p. 


’jrtSs,. 


B:  Value  v  is  a  write  pointer  iff  <p  is  in  SB  (C,n,l)  for  some  Copy 

db 

operator  C  and  some  integer  n>0. 

A 

Lemma  3.3-1  Every  LfiS  program  running  on  the  modified  interpreter  satis¬ 
fies  the  Static/Dynamic  Group  Relationship. 

Proof :  Let  5  be  any  initial  modified  state  of  any  L^g  program  P.  Proof 
is  by  induction  on  the  length  of  the  firing  sequences  starting  in  S . 
Induction  hypothesis  is  that  A  and  B  are  true  for  every  firing  in  every 
length-n  firing  sequence  starting  in  S . 

Basis:  n  «*  0.  Vacuously  true. 

Induction  step:  Assume  the  induction  hypothesis  is  true  for  n  *  k>0,  and 
consider  it  for  n  -  k+1. 

(1)  Let  2  «  0(p  be  any  length-n  firing  sequence  starting  in  S.  Then  A 

and  B  are  true  for  every  firing  In  0  ind.  hyp. 

(2)  If  <p  Is  not  in  PRF(2) ,  then  A  and  B  are  true  for  every  firing  in  2 

(1) 

(3)  Assume  <p  is  in  PRF(2) .  Let  d  be  the  actor  of  which  <p  is  a  firing, 

let  b  be  d's  primary  input  arc,  and  let  v  be  the  value  of  the  token 

removed  from  b  by  <p.  Then  v  is  a  read  or  a  write  pointer 

Defs.  3 . 3-10+3 . 2-1+2 . 2-5 

(4)  The  token  removed  from  b  by  <p  either  was  on  b  in  S  or  was  placed 

there  as  the  result  of  a  state  transition  of  the  modified  inter¬ 
preter.  That  token  is  on  b  in  £  4  b  is  a  program  input  arc 


(3)+Defs.  3.3-54-2.2-6 

(5)  That  token  was  placed  on  b  at  a  transition  »  b  is  a  data  output  arc 


ill  H'llUlWl,l><> 
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of  a  Copy  or  Select  operator,  or  a  token  of  pointer  value  can  be 
placed  on  b  at  a  transition  of  the  standard  interpreter 

(3)4-Defs.  3.3-94-3.3-7 

(6)  «*  b  is  a  data  output  arc  of  a  Copy,  Select,  or  pi  actor  Pef.  2.2-4 

(7)  b  is  either  a  program  input  arc  or  a  data  output  arc  of  a  Copy, 

Select,  or  pi  operator  (4)4-(5)4-(6) 

Case  I:  b  is  the  number-i  program  input  arc 

(8)  ip  is  in  just  SB  (ID,i),  and  so  is  not  in  SB  (C,n,l)  for  any  Copy 

operator  C  and  integer  n  Def.  3.3-10 

(9)  b  is  in  K(ID,i),  so  b  is  in  a  channel  starting  at  b€K(ID,i),  so 

d  is  in  G(K(ID,i))  *  Def.  3.2-1 

(10)  b  is  not  an  output  arc  of  any  actor  Def.  2.1-1 

(11)  No  state  transition  can  cause  a  token  to  be  placed  on  b,  so  the 

token  removed  from  b  by  q>,  which  is  of  value  v,  is  on  b  in  S 

(10)4-Defs.  3.3-94-2.2-54-2.1-5 

(12)  v  is  a  read  pointer  (3)4-Def.  3.3-5 

Case  II:  b  is  a  data  output  arc  of  a  Copy  or  Select  operator  S 

(13)  There  is  exactly  one  n  such  that  the  token  removed  from  b  by  cp  is 

the  n**1  to  appear  there  in  Q,  and  there  is  exactly  one  i  such  that 

b  is  in  the  number-i  group  of  output  arcs  of  S  Def.  2.1-1 

(14)  <p  is  in  just  SB  (S,n,i)  (13)4-Def.  3.3-10 

db 

(15)  b  is  in  K(S,1) ,  so  d  is  in  G(K(S,1))  Def.  3.2-1 

(16)  The  n1*1  set  of  tokens  to  appear  on  the  number-1  group  of  output  arcs 


of  S  in  2  includes  the  token  removed  from  b  by  <p,  and  so  those 
tokens  have  value  v  and  their  appearance  does  not  follow  that  of 
the  token  removed  by  <p  (13) 
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(17)  v  Is  a  write  pointer  Iff  S  la  a  Copy  and  1-1  (13)+Def.  3.3-9 

(18)  Iff  <j>€SB^(C,n,l)  for  sone  Copy  C  and  integer  n  (14) 

Case  Ill:  b  is  an  output  arc  of  a  pi  actor  d' 

(19)  There  is  a  prefix  of  0  such  that  the  token  removed  from  b  by  ^ 

is  not  on  b  in  but  is  on  b  in  S*A<p',  sO(p'  is  a  firing  of  d* 

and,  letting  5* A  be  (r,U,Q),  there  is  a  token  of  value  v  on  b  in 
Standardr((Strip(r,d'),U),d’)  Def.  3.3-9 

(20)  <p'  removes  a  token  of  value  v  which  is  on  a  transmltted-input  arc 

a  of  d'  in  Strip(r.d')  (19)+Defs.  3. 3-7+2. 2-4 

(21)  tp *  removes  a  token  of  value  v  from  a  primary  input  arc  a  of  d* 

which  is  on  a  in  T  (20)+Defs.  3. 2-1+3. 3-8 

(22)  <p  is  in  the  same  sub-blocking  group(s)  as  ip'  (19)+Def.  3.3-10 

(23)  b  is  in  every  channel  a  is  in,  so  d  is  in  every  distribution  group 

d'  is  in  Def.  3.2-1 

(24)  <p'  is  in  0,  so  it  is  in  PRF(6)  (21)+Def.  3.3-10 

(25)  Either  <p'  is  in  SBg(ID,i)  for  exactly  one  i,  or  <p'  is  in  SBg(S,n,i) 

for  exactly  one  Copy  or  Select  operator  S,  one  n,  and  one  i 

(24)+(l)+Def .  3.3-10 

(26)  Either  <p'  is  in  SBa(ID,i)  for  exactly  one  i,  or  <p'  is  in  SBa(S,n,i) 

for  exactly  one  Copy  or  Select  operator  S,  one  n,  and  one  i 

(25)+Def .  3.3-10 

(27)  Either  <p  is  in  SB^(ID,i)  for  exactly  one  i,  or  <p  is  in  SBg(S,n,l) 

for  exactly  one  Copy  or  Select  operator  S,  one  n,  and  one  i(26)+(22) 

(28)  Por  any  i,  <p€SBa(ID,i)  -  <p' €SBa(ID,i)  •  [d* €G(K(ID,i))  and  there  is 

a  token  of  value  v  on  P's  number-i  program  input  arc  in  Si  - 
d€G(K(ID,i))  (22)+(24)+(l)+(23)+(21)+Def.  3.3-13 
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(29)  For  any  Copy  or  Select  operator  S,  any  n,  and  any  i,  <p€SBQ(S,n,i) 

=,  (p*  ^SB  (S,n,l)  »  d'€G(K(S,i))  and  the  nth  tokens  to  appear  on 
S’s  number-i  output  arcs  in  0  have  value  v,  and  that  appearance 
does  not  follow  the  appearance  of  the  token  removed  from  a  by  <p' 

(22)+(24)+(l)+(21)+Def.  3.3-10 

(30)  The  appearance  of  the  token  removed  from  b  by  cp  follows  the 

appearance  of  the  token  removed  from  a  by  <p'  (21)+(19) 

(31)  <p€SB  (S,n,i)  =>  d€G(K(S,i))  and  the  appearance  of  the  nth  set  of 

uG 

tokens  to  appear  on  S's  number-i  group  of  output  arcs  does  not  fol¬ 
low  the  appearance  of  the  token  removed  from  b  by  <p  (29)+(23)+(30) 

(32)  v  is  a  write  pointer  iff  <p*  «SBa(C,n,l)  for  some  Copy  operator  C 

and  integer  n  >  0  (21)+(24)+(l)+Def .  3.3-13 

(32)  iff  (pfSB  (C,n,l)  <22> 

a  A 

The  Determinacy  Condition  concerns  only  pairs  of  structure  operator 
firings  in  a  common  blocking  group.  Therefore,  any  syntactic  test  for 
this  Condition  need  consider  only  pairs  of  structure  operators  in  the  same 
or  in  closely-related  m.p.d.g.’s.  Specif icially,  any  pair  of  such  opera¬ 
tors  d^  and  d^  must  be  in  either  G(K(ID,i))  for  some  i,  G(K(S,1))  for 
some  Select  operator  S,  or  G(K(C,1))UG(K(C,2))  for  some  Copy  operator  C. 
Table  3.1-1  may  reveal  that  no  firing  of  d^  potentially  interferes  with 
any  firing  of  d2*  Otherwise,  one  of  d^  and  d2  must  be  in  the  write  class. 
If  the  Read-Only  Condition  is  satisfied  (which  is  easily  confirmed),  then 
that  write-class  operator  must  be  in  G(K(C,1))  for  some  Copy  operator  C. 
Thus  both  dx  and  d2  must  be  in  G(K(C,1))UG(K(C,2)) ,  and  some  firings  of 
them  may  have  to  be  sequenced. 
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The  only  syntactic  test  for  this  sequencing  which  Is  known  to  be 
valid  covers  an  Important  special  case:  If  none  of  the  channels  starting 
at  arcs  in  K(C,1)UK(C,2)  contains  an  input  or  output  arc  of  a  gate,  then 
it  is  sufficient  that  there  is  a  directed  path  from  d^  to  d^  which  is 
similarly  free  of  gate  input  and  output  arcs.  Furthermore,  the  following, 
quite  general  test,  is  believed  to  be  correct:  A  well-formed  data-flow 
program  is  an  acyclic  interconnection  of  individual  actors,  conditional 
constructs  like  Figure  2.1-6,  and  iteration  constructs  in  the  fashion  of 
Figure  2.1-4  [13].  In  a  well-formed  program,  it  is  sufficient  that  d^ 
and  d^  either: 

1.  are  in  separate  subprograms  of  a  conditional  construct,  or 

2.  have  a  directed  path  between  them. 

Finally,  it  is  now  possible  to  fully  appreciate  the  decisions  to 
associate  two  m.p.d.g.'s  with  each  Copy  operator  and  two  sub-blocking 
groups  with  each  Copy  firing.  Both  help  simplify  the  proof  that,  in  a 
program  satisfying  the  Read-Only  Condition,  all  firings  of  write-class 
operators  input  write  pointers;  this  in  turn  is  a  key  to  the  effectiveness 
of  the  Blocking  Discipline.  The  proof  consists  of  two  simple  steps: 

1.  For  every  write-class  operator  d,  there  is  a  Copy  operator  C  such 
that  d  is  in  G(K(C,1))  (Read-Only  Condition). 

2.  Every  firing  of  d  is  in  SB  (C,n,l)  for  some  n,  and  every  firing  of 

w 

d  inputs  a  write  pointer  (Static/Dynamic  Group  Relationship) . 
Clearly,  without  the  separate  notations  for  G(K(C,1))  and  SB  (C,n,l),  the 

w 

expression  of  this  proof  would  be  considerably  less  elegant. 
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3.4  The  Translation 

The  previous  section  has  specified  the  data-flow  language  and 

the  modified  data-flow  interpreter.  It  is  proven  in  succeeding  chapters 

that  on  the  modified  interpreter,  any  program  is  determinate,  hence 

functional.  This  partially  meets  the  primary  goal  of  the  thesis;  the 

remaining  requirement  is  satisfied  in  this  section,  by  presenting  an 

algorithm  which  translates  any  well-behaved  L  program  into  an  equivalent 

oV 

Lp  program. 

The  translation  is  an  improved  version  of  the  simplistic  one  given 

earlier  (Algorithm  3.2-1).  That  algorithm  replaces  each  Const,  Append, 

and  Remove  operator  in  an  LD„  program  with  a  combination  of  L„„  operators: 

ov  fib 

a  Copy  C,  a  sequencer  G,  and  an  Assign,  Update,  or  Delete  U,  arranged  as 
in  Figure  3.2-3.  A  minor  refinement  is  obviously  needed  to  guarantee  that 
the  resulting  LfiS  program  satisfies  the  Read-Only  Condition:  U's  primary 
input  arc  is  made  the  only  number-1  output  arc  of  the  Copy.  In  this  way, 
the  single  write-class  firing  in  any  blocking  group  is  the  only  one  to 
input  a  write  pointer. 

Every  firing  of  U  is  always  sequenced  before  every  other  firing  in 
the  same  blocking  group.  This  is  because,  for  every  actor  d^U  of  which 
there  is  a  firing  in  that  blocking  group,  d  is  in  the  m.p.d.g.  G(K(C,2)); 
i.e.,  its  primary  input  arc  is  in  a  channel  starting  at  an  output  arc  of  C, 
and  every  such  channel  goes  through  G.  There  may  be,  however,  an  output 
arc  b  of  C  such  that  all  channels  starting  at  b  end  at  number-3  input 
arcs  of  other  Updates.  None  of  those  other  Updates  is  in  G(K(C,2)),  so 
none  of  their  firings  is  in  the  same  blocking  group  as  any  firing  of  U. 
Therefore,  having  all  those  channels  go  through  G  results  in  an  unnecessary 
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loss  of  structure  concurrency.  Easing  this  constraint  may  in  turn  lead  to 
G's  having  no  output  arcs,  in  which  case  G  itself,  along  with  its  input 
arcs,  can  be  removed.  These  considerations  are  precisely  stated  in  the 
following. 

Algorithm  3.4-1  This  algorithm  constructs,  from  any  program  P,  an 
LgS  program  P' .  It  also  constructs  two  maps:  T,  from  the  actor  labels  in 
P  to  those  in  P',  and  A,  from  the  arcs  in  P  to  those  in  P'. 

Let  Lp  be  the  set  of  labels  of  the  actors  in  P.  Let  T  be  any  function 
T:  Lp  -  LpU(L  -  Lp)3 

such  that: 

1.  If  d  does  not  label  a  Const,  Append,  or  Remove,  then  T(d)  »  d. 

2.  Otherwise,  T(d)  is  a  triple  (C,U,G)  of  labels  not  In  Lp. 

3.  No  label  appears  more  than  once  in  all  of  the  triples  in  the  range 
of  T. 

Then  P'  is  the  unique  Lgs  program,  and  A  the  unique  map,  satisfying  the 
following  specifications: 

For  each  actor  in  P,  let  d  be  its  label.  Then: 

The  actor  is  not  a  Const,  Append,  or  Remove  iff  there  is  an  actor  of 
the  same  type  in  P',  labelled  with  T(d) . 

The  actor  is  a  Const/Append/Remove  iff  there  are  three  actors  in  P' 
labelled  with  the  labels  In  the  triple  T(d)  ■  (C,U,G),  and  C  labels 
a  Copy,  G  a  sequencer,  and  U  an  Assign/Update/Delete. 

For  each  arc  b  in  P: 

If  b  is  not  an  input  or  an  output  arc  of  a  Const,  Append,  or  Remove, 
then  b  is  an  input  (output)  arc  of  the  actor  labelled  d  in  P  iff 
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A(b)  is  the  same  Input  (output)  arc  of  the  actor  labelled  T(d)  in  P'. 

If  b  is  an  input  or  output  arc  of  a  Const,  Append,  or  Remove  labelled 

d  in  P,  let  T(d)  -  (C,U,G) .  Then 

1.  b  is  the  number-1  input  arc  of  d  iff  A(b)  is  the  number-1 
input  arc  of  C  (Figure  3.4-1), 

2.  b  is  the  number-2  (number-3)  input  arc  of  d  iff  A(b)  is  the 
number-2  (number-3)  input  arc  of  U. 

3.  b  is  a  control  output  arc  of  d  iff  A(b)  is  a  control  output 
arc  of  U. 

4a.  If  b  is  a  data  output  arc  of  d  and  every  channel  in  P  starting 
at  b  ends  at  a  number-3  input  arc  of  an  Append,  then  A(b)  is  a 
number-2  output  arc  of  C. 

4b.  b  is  a  data  output  arc  of  d  and  not  every  channel  in  P  starting 
at  b  ends  at  a  number-3  input  arc  of  an  Append  iff  A(b)  is  an 
output  arc  of  G. 

Finally,  for  each  Const,  Append,  or  Remove  actor  d  in  P,  let  T(d)  be 
(C,U,G).  Then  there  are  three  arcs  in  P*  interconnecting  C,  U,  and  G  as 
in  Figure  3.4-1  (these  arcs  are  not  in  the  map  A).  The  input  arc  of  U  is 
the  only  arc  in  the  number-1  group  of  output  arcs  of  C.  (If  sequencer  G 
has  no  output  arcs,  it  may  be  removed,  along  with  its  input  arcs.) 

A 

Clearly  A  as  defined  is  a  similarity  mapping  from  P  to  P'. 

Figure  3.4-2  depicts  the  LgS  program  AlterS2',  which  is  the  result  of 
translating  the  L_„  program  AlterV2  (Figure  2.3-7a).  Note  that  the  only 
difference  between  AlterS2'  and  AlterS2  (Figure  2.3-7b)  is  the  insertion 
of  a  sequencer  which  forces  to  fire  after  U^. 

> 
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Figure  3.4-2 
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The  proof  that  this  algorithm  translates  any  well-behaved  program 
P  Into  an  equivalent  program  P'  Is  In  three  steps: 

1.  P*  satisfies  the  Read-Only  and  Determinacy  Conditions  (i.e.,  P'CLp). 

2.  Every  program  is  functional. 

3.  If  P  is  well-behaved  and  P'  is  functional,  then  P'  is  equivalent 
to  P. 

The  first  and  third  steps  are  presented  below.  The  proof  of  the  second 
step  occupies  the  next  four  chapters. 

Theorem  3.4-1  Let  P'  be  any  L^s  program  produced  by  Algorithm  3.4-1  as 
the  translation  of  some  LfiV  program  P.  Then  P'  satisfies  the  Read-Only 
Condition  and  the  Determinacy  Condition. 

Proof: 

(1)  Let  U  be  any  write-class  operator  in  P' 

(2)  U  is  not  in  P  (1)+Defs.  3. 1-2+2. 2-3 

(3)  D  is  introduced  into  P*  by  Algorithm  3.4-1  (l)+(2) 

(4)  There  is  a  unique  Copy  C  in  P'  connected  to  U  as  in  Figure  3.4-1 

(l)+(3)+Alg.  3.4-1 

(5)  The  primary  input  arc  b  of  U  is  in  the  number-1  group  of  output 

arcs  of  C  (4)+Alg.  3.4-1+Def.  3.2-1 

(6)  There  is  exactly  one  channel  containing  b  which  starts  at  a  program 

input  arc  of  P'  or  a  data  output  arc  of  a  Select  or  Copy  operator, 
and  that  starts  at  a  number-1  output  arc  of  C  (5)+Def.  3.2-1 

(7)  The  only  m.p.d.g.  containing  U  is  G(K(C,1))  (5)+(6)+Def.  3.2-1 

(8)  P'  eatlsfias  the  Read-Only  Condition  (7)+Def.  3.3-2 
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(9)  Let  2  be  any  firing  sequence  starting  In  any  Initial  state  S  for  P' 

(10)  Let  d^  and  d^  be  any  two  structure  operators  In  P*  such  that  two 

distinct  firings  of  d^  and  <p ^  of  d2  are  both  In  the  same 
blocking  group  In  2  and  they  potentially  Interfere 

(11)  One  of  d^  and  d2  is  write-class;  let  it  be  d^  (10)+Table  3.1-1 

(12)  The  primary  Input  arc  of  d^  is  the  only  number-1  output  arc  of 

some  Copy  operator  C  (ll)+(l)+(4)+(5) 

(13)  The  nC^  firing  of  any  non-gate  actor  d  removes  from  each  input  arc 

of  d  the  n^  token  to  appear  there,  and  places  on  each  output  arc 
of  d  the  n***  token  to  appear  there  Def.  2.1-5 

(14)  Let  n  be  such  that  is  the  n**1  firing  of  d^  In  2.  Then 

removes  the  n**1  token  to  appear  on  its  primary  input  arc  (13) 

(15)  <p^€Bg(C,n),  and  no  other  firing  of  d^  is  in  B^(C,n) 

(12)+(14)+Def .  3.3-10 

(16)  <p2®a(C.  n)  (15)+(10) 

(17)  <p2  is  in  SBfi(C,n,l)  or  SB2(C,n,2)  (16)+Def.  3.3-10 

(18)  d2  is  in  G(K(C,1))  or  G(K(C,2))  (17)+Lennna  3.3-1+Def.  3.3-13 

(19)  The  only  channel  starting  at  a  number-1  output  arc  of  C  contains 

just  the  number-1  input  arc  of  d^  (12)+Alg.  3.4-1+Def.  3.2-1 

(20)  d^  is  the  only  actor  in  G(K(C,1))  (19)+Def.  3.2-1 

(21)  d2  is  in  G(K(C,2))  (18)+(20)+(10) 

(22)  There  is  a  label  R  of  an  actor  in  P  and  a  label  G  of  a  sequencer 

in  P'  such  that  T(R)  -  (C.d^G)  (ll)+(12)+Alg.  3.4-1 

(23)  The  primary  input  arc  of  G  is  an  output  arc  of  C,  and  its  other 

input  arc  is  the  output  arc  of  d^  (22)+Fig.  3.4-1 

(24)  The  n  firing  of  G,  <p„,  removes  the  n  tokens  to  appear  on  both 

V> 


of  Its  Input  arcs 


(13) 


(25)  <p_  Is  in  Brt(C,n),  and  no  other  firing  of  G  is  in  B_(C,n) 

(23)+(24)+Def .  3.3-10 

(26)  <pG  follows  (px  in  2  (14)+(24)+(13) 

Next  prove  the  following,  by  induction  on  the  length  of  2: 

A:  Let  d  be  any  actor  such  that  d€G(K(C,2))  but  d/G.  Then  any  firing 

of  d  which  is  in  B  (C,n)  follows  tp  in  2. 

Sc  g 

Basis:  |2|  «  0.  Vacuously  true. 

Induction  step:  Assume  A  is  true  for  every  firing  sequence  of  length  n, 
and  consider  9q>  of  length  n+1.  If  tp  is  not  in  B^(C,n),  then  A  is  true 
for  6<p  by  induction  hypothesis.  Therefore,  assume 

(27)  <p€Bg(C,n)  and  is  a  firing  of  d€G(K(C,2)) 

(28)  There  is  at  least  one  channel  starting  at  an  arc  in  the  number-2 

group  of  output  arcs  of  C  and  containing  the  primary  input  arc 
of  d  (27)-H)ef .  3.2-1 

(29)  Since  the  number-3  input  arc  of  an  Update  is  not  its  primary  input 

arc,  that  channel  must  start  at  G*s  transmltted-lnput  arc 

(28)+Def .  3 . 2-1+Alg .  3.4-1 

(30)  Since  G  is  a  pi  actor,  that  channel  also  Includes  an  output  arc 

of  G  (29)+Def.  3.2-1 

(31)  Since  d#G,  no  primary  input  arc  of  d  is  an  output  arc  of  C 

(29)+Def.  3.2-1 

(32)  The  primary  input  arc  b  of  d  from  which  <p  removes  a  token  is  an 

output  arc  of  a  pi  actor  d',  and  that  token  was  placed  on  b  by  a 
firing  <p'  of  d'  also  In  BQ(C,n) 


(33)  <p  follows  <p ' 


(31)+Def .  3.3-10 
(32)+Def.  2.1-5 


/ 

/ 
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There  are  two  cases  for  d':  either  d'  ■  G  or  d'  t  G. 
Case  I:  d*  -  G. 


(34) 

(35) 

(36) 
Case 

(37) 

(38) 

(39) 

(40) 

(41) 

(42) 

(43) 

(44) 

(45) 

(46) 

(47) 


(48) 


<p  is  the  only  firing  of  G  ■  d’  in  B  (C,n)  (25) 

V  Ob 

<p„  -  <p'  (32)+(34) 

U 

m  follows  <p  (33)+(35) 

II:  d’  #  G 

d  r^G(K(C, 2) )  =»  there  is  no  channel  starting  in  the  number-2  group  of 
output  arcs  of  C  including  a  primary  input  arc  of  d'  Def.  3.2-1 
=>  there  is  no  channel  starting  in  the  number-2  group  of  output  arcs 


of  C  which  includes  b 

(32)+Def .  3.2-1 

d'€G(K(C,2)) 

(38)+(27) 

<p'  is  in  6 

(33) 

<p'  follows  <PG 

(39)+(40)+ind.  hyp. 

cp  follows  (PG 

(4l)+(33) 

A  for  0<p 

(36)+(42) 

d2€G(K(C,2))  and  d^G 

(21)+(10) 

Any  firing  of  d2  which  is  in  B^(C,n)  follows  <p^ 

(44)+A+(26) 

q>2  follows  <p^  in  Q 

(10)+(16)-f(45) 

If  J  is  such  that  <p^  i a  the  j**1  firing  of  then  for  any  other 
firing  sequence  starting  in  any  initial  state  for  P,  the 
firing  of  d2  follows  the  n**1  firing  of  d^  (9)+(14)+(46)+(45) 

P'  satisfies  the  Determinacy  Condition  (9)+(47)+Def .  3.3-11 

A 


This  completes  the  first  step  in  the  proof  that  Algorithm  3.4-1 
translates  an  program  P  into  an  equivalent  program  P' :  P'  is  in  L^. 

The  third  step  is  presented  next:  If  P  is  well-behaved  and  P'  is 


functional,  then  P'  is  equivalent  to  P.  P'  is  equivalent  to  P  iff  for 
every  initial  state  S  for  P  and  halted  firing  sequence  2  starting  in  S, 
for  every  initial  state  S'  for  P'  simulating  S  and  halted  firing  sequence 
2'  starting  in  S',  the  final  state  S' * S2*  simulates  S*Q. 

Since  P  is  an  Lgv  program,  it  is  functional;  i.e.,  all  halted  firing 
sequences  starting  in  S  result  in  equal  firing  states.  If  P'  is  also 
functional,  then  all  halted  firing  sequences  starting  in  S'  result  in 
equal  final  states.  The  "simulates"  relation  is  invariant  under  substi¬ 
tution  of  equal  states.  Therefore,  it  is  only  necessary  to  find  one 
halted  firing  sequence  2  starting  in  S  and  one  halted  sequence  S'  starting 
in  S'  such  that  S'  •£'  simulates  S' Si.  The  following  algorithm  constructs 
such  an  £>'  from  any  2. 


Algorithm  3.4-2  Let  P  be  any  L^  program,  and  let  T  and  P'  be  any  map  and 
corresponding  L^  program  produced  from  P  by  Algorithm  3.4-1.  Given  any 
firing  sequence  2  starting  in  any  initial  state  for  P,  and  any  initial 
state  S'  for  P',  construct  a  firing  sequence  R(S2)  recursively  as  follows: 
Basis:  R(\)  -  X. 

Induction  step:  Let  Qtp  be  any  firing  sequence  starting  in  any  initial 
state  for  P,  where  the  last  firing  ip  is  of  actor  d  in  P.  Then  R(2<p)  is 
given  by: 

If  d  does  not  label  a  Const,  Append,  or  Remove,  then 

R(2cp)  ■  R(2)<pr,  where  <p'  is  the  firing  which  is  the  label  T(d) . 
Otherwise,  R(&p)  ■  RteJ^ip^Q,  where 


T(d)  -  (C,U,G) 

<PC  ■  (C,(p,n))  where  <p  •  (d,(p,n)),  ^  - 


U,  and 


•  G. 


A 
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IC  should  be  noted  that,  technically,  the  definition  of  "simulates" 
(Definition  2.4-7)  cannot  be  applied  to  a  modified  state.  This  is  because 
the  definition  of  the  "Match"  relation  between  the  conditions  of  arcs  in 
states  (Definition  2.4-2)  assumes  that  each  arc  has  either  no  token,  a 
token  with  a  non-pointer  value,  or  a  token  whose  value  is  a  simple  pointer. 
In  a  modified  state,  however,  each  token's  value  is  either  a  non-pointer, 
or  (p,R)  or  (p,W)  where  p  is  a  pointer.  The  association  of  the  innocuous 
"R"  or  "W"  tags  with  each  pointer  in  a  configuration  should  not  disqualify 
an  otherwise-equivalent  program.  I.e.,  it  should  not  be  cause  for  concern 
if  the  definition  of  "simulates"  Ignores  the  presence  or  absence  of  such 
tags.  This  is  most  easily  accomplished  by  revamping  the  definition  of 
"Match"  (matching  conditions  for  arcs  in  two  modified  Interpreter  states 
are  also  included  here,  for  completeness): 

Definition  3.4-1  Let  S ^  and  be  a  standard  and  a  modified  or  two 
modified  Interpreter  states.  Let  and  Y^  he  their  respective  config¬ 
uration  components,  and  let  ■  (N^,FI^,SM^)  and  “  (N2,ri2*SM2)  he 
their  respective  heap  components.  Let  b^  and  h2  each  be  an  arc  from  the 
program  of  which  and  Y^»  respectively,  is  a  configuration.  Then  for 
any  one-to-one  mapping  I :  -*■  ^ ,  the  condition  of  b^  in  52  etches  under 

i  the  condition  of  b ^  in  5^,  written 

Match((b2,S2),  I,  (b ^Sj)) 
iff  one  of  the  following  is  true: 

1.  There  is  no  token  on  b^  in  and  no  token  on  bj  in  ^ 

2.  There  are  tokens  with  equal  non-pointer  values  on  b^  in  P^  and  on 

b2  in  r2- 


r— 7 
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3.  a.  For  1*1,2,  there  Is  a  token  with  value  p^,  (p^,R),  or  (p^.W), 
where  p^  is  a  pointer,  on  in  r^> 

b.  if  both  tokens'  values  are  tagged  pointers,  the  tags  are  the 
same,  and 

c.  u2.n2(p2)  -  »1.n1(,1) 

A 

Theorem  3.4-2  Let  F  be  any  well-behaved  L_„.  program,  and  let  P*  be  its 

-  gy 

translation  via  Algorithm  3.4-1.  Let  S  be  any  Initial  standard  state  for 
P,  and  let  S'  be  any  initial  modified  state  for  P'  which  simulates  S. 

Then  for  any  halted  firing  sequence  Q  starting  in  5: 

1.  R(S2)  is  a  halted  firing  sequence  starting  in  S',  and 

2.  -S'*  *R(S2)  simulates  5,-S2. 

Proof :  The  proof  of  this  is  tedious  and  has  been  relegated  to  Appendix  B. 
The  only  non-straightforward  points  in  it  are  listed  below: 

1.  Whenever  a  Const,  Append,  or  Remove  d  is  enabled  in  P,  the  corres¬ 
ponding  Copy  C  is  enabled  (Figure  3.4-1).  Firing  that  enables  the 
corresponding  Assign,  Update,  or  Delete  U.  Firing  U  then  enables 
the  sequencer  G. 

2.  There  is  only  one  write  pointer  output  per  Copy  firing,  and  that 
is  input  by  the  immediately-following  firing.  Therefore,  whenever 
a  Select  fires,  there  are  no  write  pointers  in  the  configuration, 
so  its  output  tokens  appear  with  no  delay. 

Beyond  this,  the  proof  is  simply  a  case-by-case  demonstration  that  equal 
Inputs  (Identical  non-pointer  values  or  pointers  to  equal  components) 
to  two  firings  of  an  operator  produce  equal  results. 


A 
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Theorem  3.4-3  For  any  well-behaved  program  P,  let  P'  be  the 
program  produced  from  P  by  Algorithm  3.4-1.  If  every  L^  program  is 
functional,  then  P'  is  equivalent  to  P. 

Proof :  Let  A  be  the  map  from  arcs  In  P  to  arcs  in  P*  generated  in  the 


production  of  P ' . 

(1)  A  is  a  similarity  mapping  from  P  to  P' 


Alg.  3 . 4-1+Def .  2.4-6 


Let  5  be  any  initial  standard  state  for  P,  and  let  2  be  any  halted  firing 
sequence  starting  in  5.  Let  S'  be  any  Initial  modified  state  for  P' 
which  simulates  St  and  let  2'  be  any  halted  firing  sequence  starting  in  S' . 


(2)  R(2)  is  a  halted  firing  sequence  starting  in  S'  and  S’ *R(2) 


simulates  5*2 

(3)  There  is  a  mapping  1^  such  that,  for  each  arc  b  in  P, 

Match ((A(b) ,5' *R(2)) ,  1^  <b,5*2>) 

(4)  P*  is  in  Ljj 

(5)  Every  program  in  LQ  is  functional  =>  P'  is  functional 

(6)  =»5'*2'  equals  5' •  R(2) 


Thm.  3.4-2 


(2)+Def .  2.4-7 
Thm.  3.4-1 


(2)-H)ef .  2.4-4 


(7)  *»  there  is  a  mapping  I2  such  that,  for  each  arc  c  in  P', 
Match((c,5' ’2') ,  I2>  <c,5'-R(2>)) 


Def .  2.4-3 


(8)  =»  for  each  arc  b  in  P, 

Match((A(b) ,  5*-2'),  I^,  (b,5*2)) 

(9)  =»  S'  *2'  simulates  5*2 


(3)+Thm.  3.4-1 
(1)+Def.  2.4-7 
Q.E.D. 


The  primary  goal  of  this  thesis  is  to  develop  a  language  L^  and  an 
interpreter  for  it,  together  with  a  translation  from  to  Lp  which 
produces  equivalent  programs  having  maximal  structure  concurrency. 
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Section  3.3  has  presented  the  language  and  the  modified  data-flow 
interpreter  for  it.  It  has  been  argued  in  Section  3.2  that  every 
program  on  the  modified  interpreter  is  determinate,  hence  functional. 
Section  3.4  contains  a  translation  algorithm  from  L ^  to  Lg  which,  if 
indeed  every  program  is  functional,  produces  equivalent  programs. 

The  proof  that  every  program  is  functional  on  the  modified  interpreter 
fills  Chapters  4,  5,  6,  and  7.  Chapter  8  Includes  a  judgment  of  how  well 
the  goal  of  maximal  concurrency  has  been  met. 
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Chapter  4 

The  Entry-Execution  Model 

This  chapter  introduces  the  entry-execution  model  of  concurrent 
computation.  The  purpose  of  developing  this  model  is  to  make  the  results 
of  the  thesis  as  widely  applicable  as  possible.  The  major  result  is  that 
a  language  L  with  Structure-as-Storage  operations  can  be  made  a  determinate 
language  by  modi,fyifcg  it  according  to  a  certain  scheme.  The  entry- 
execution  model  of  L  focuses  on  just  those  aspects  of  L  pertinent  to  this 
statement:  whether  it  is  determinate  and  whether  it  includes  the  Structure- 
as-Storage  operations,  in  either  a  simple  or  a  modified  form.  Details  of 
L  not  germane  to  these  issues  are  abstracted  away. 

Specifically,  the  results  of  this  thesis  can  be  applied  to  any 
language  L  and  interpreter  I  on  which  L  runs  by  the  following  procedure: 

1.  Modify  I  so  that  the  outputs  of  Select  operators  are  withheld  in 
accordance  with  the  Blocking  Discipline.  Restrict  L  to  those 
programs  in  it  which  satisfy  properties  analogous  to  the  Determinacy 
Condition  and  the  Read-Only  Condition.  Call  the  modified  interpreter 
I'  and  the  restricted  language  L' .  (This  step  has  already  been 
performed  for  the  data-flow  language  L^g.) 

2.  Construct  an  entry-execution  model  E  of  L'  running  on  I'.  The 
general  form  of  such  a  model  is  defined  below  in  Section  4.2;  as  an 
example,  an  algorithm  for  constructing  a  model  of  any  data-flow 
language  and  interpreter  is  given  in  Section  4.3. 


MiatolllMi m 


.1.  Check  that  K  saltation  tho  constraints  defining  a  Structuro-as- 

StoraRo  (S-S)  model,  Rivon  In  Section  5.1.  K  is  an  S-S  model  III 

1.'  contains  operations  havtnR  the  same  order-dependent  behavior  on 

I'  as  the  structure  operations  in  1,  ;  this  is  proven  in  Section  5.1 

Bo 

4.  Check  that  K  satisfies  the  Determinacy  Axioms,  Riven  in  Section  f>.2. 
These  are  simple  properties  of  the  control  portion  of  a  program 
which  are  used  to  prove  that  the  program  is  determinate.  Most  of 
them  are  used  in  existing  proofs  of  determinacy  for  languages 
without  structure  operations,  and  so  are  well  understood.  One  axiom 
asserts  the  key  requirement  of  freedom  from  conflict  between  struc¬ 
ture  operations;  K  should  satisfy  this  axiom  if  the  modifications 
in  Step  1  were  made  correctly.  Then  the  principal  theorem  applies 
to  Ej  An  S-S  model  which  satisfies  the  Determinacy  Conditions  Is  a 
determinate  model  (defined  In  Section  b.l). 

5.  Trove  from  the  construction  in  step  2  that  E  is  a  determinate  model 
only  if  L*  running  on  l '  is  a  functional  language. 

Thu  final  three  steps  are  applied  in  Chapter  7  to  the  language  h  . 

DO 

The  general  form  of  an  entry-execution  model  is  given  in  Section  4.2 
below;  this  is  prefaced  by  a  description  of  existing  models  of  concurrent 
computation  which  shows  their  lnappropr lateness  for  the  current  research. 
Section  4.3  then  provides  an  algorithm  to  construct  an  entry-execution 
model  of  any  data-flow  language  end  Interpreter. 

4.1  Historical  Perspective 

Several  models  of  concurrent  computation  have  been  developed  In  the 
past  ten  years.  Each  of  these  different  models  was  designed  to  aid  in 
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the  study  of  particular  properties  of  parallel  programs,  usually 
determinacy  and  equivalence.  Certain  details  about  a  parallel  program 
have  no  bearing  on  its  determinacy  or  equivalence,  and  so  are  treated 
abstractly  in  the  models.  These  models  are  very  specific,  however,  about 
those  other  details  which  have  a  strong  impact  on  the  issues  of  interest. 
The  basic  elements  common  to  all  models  for  which  determinacy  is  a  meaning¬ 
ful  concept  are  described  briefly  below.  Each  of  these  elements  is 
characterized  as  to  the  degree  of  abstraction  with  which  it  is  typically 
treated,  to  show  that  the  development  of  the  entry-execution  model  has  been 
guided  by  the  same  principles  as  this  previous  work. 

These  models  of  concurrent  computation  are  based  on  five  concepts, 
which  are  described  below,  both  in  general  and  by  reference  to  the  data¬ 
flow  model  presented  in  Chapter  2. 

1.  A  program  contains  (among  other  things)  a  set  of  instructions 
(actors).  Each  instruction  specifies  (among  other  things)  an 
operation. 

2,  Computing  by  a  program  involves  a  set  of  executions  (firings). 

An  execution  is  the  application  of  some  instruction's  operation 

to  a  set  of  input  values  to  produce  a  set  of  output  values.  It  is 
characteristic  of  concurrent  computation  that  the  relative  order  in 
which  these  executions  occur  is  not  totally  fixed  by  the  program. 
Instead,  the  program  determines  a  set  of  possible  relative  orders 
or  computations  (firing  sequences) .  A  computation  is  a  sequence  of 
events ,  each  of  which  is  typically  either  the  Initiation  or  the 
termination  of  some  execution;  this  allows  modeling  not  only 
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dlfferent  Initiation  orders,  but  also  multiple  executions  in 
progress  (initiated  but  not  terminated)  concurrently. 

3.  The  instructions  in  a  program  are  interconnected  by  a  (local)  memory 
structure.  This  consists  of  a  set  of  memory  elements  (arcs).  Each 
instruction  is  assigned  some  subset  of  these  elements  as  its  inputs 
and  another  subset  as  its  outputs.  Each  time  an  instruction 
executes,  input  values  are  read  from  its  input  memory  elements,  and 
results  are  written  into  its  output  elements. 

It  is  in  this  memory  structure  that  the  greatest  diversity 
among  models  appears.  Each  element  may  store  just  one  value,  with 
either  destructive  (data  flow)  or  non-destructive  [24,28]  readout. 
Alternatively,  each  element  may  be  a  first-in,  first-out  queue 
[2,23,34].  The  interconnection  of  instructions  and  memory  elements 
may  be  arbitrary  or  may  be  restricted,  as  in  the  case  of  data  flow 
(in  which  each  element  is  an  input  of  at  most  one  instruction  and 
an  output  of  at  most  one  instruction) . 

4.  Every  program  has  a  control  portion.  There  is  a  set  of  states 
defined  over  the  control  portion,  and  a  universal,  non-deterministic 
state-transition  rule.  This  rule  defines  a  set  of  enabled  events 
(initiations  and  terminations)  for  each  possible  state  of  the 
control.  It  also  describes  the  new  state  resulting  from  each 
possible  choice  of  which  enabled  event  occurs  next.  The  manner  in 
which  a  state  set  and  transition  rule  generates  a  set  of  possible 
computations  is  the  same  in  all  models,  and  is  exemplified  by  data 
flow  (Definition  2.1-5).  The  major  difference  among  the  models  is 
in  the  representation  of  the  state.  The  state  may  be  embedded  in 
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the  memory  structure,  either  In  the  amount  of  data  In  input  queues 
(computation  graphs  [23]  or  data  flow),  in  auxiliary  control  infor¬ 
mation  stored  in  each  element  (program  graphs  [30]),  in  a  combination 
of  these  (graph  programs  [2]),  or  in  the  values  of  stored  data 
(computational  schemata  [28]).  Alternatively,  there  may  be  a 
separate  control  structure,  consisting  of  a  set  of  counters  (flow 
graph  schemata  [34]  or  parallel  flowcharts  [24])  or  precedence  graphs 
[18,28],  or  the  state  set  can  be  completely  arbitrary  (parallel 
program  schemata  [24]). 

5.  There  is  a  definition  of  a  determinate  program.  The  general  notion 
may  be  stated  as:  Given  a  program  and  initial  local  memory  content, 
every  memory  element  has  the  same  sequence  of  values  written  into  it 
during  all  possible  computations.  Clearly,  the  exact  definition 
depends  on  the  particular  memory  structure  unique  to  each  model. 

Out  of  the  body  of  research  employing  these  models  have  come  several 
general  facts  about  determinacy  in  parallel  programs.  One  of  the  most 
significant  of  these  is  that  determinacy  is  not  affected  by  the  particular 
choice  of  operations  performed  by  the  instructions.  The  only  requirement 
is  that  all  operations  satisfy  the  following  two  properties: 

a.  Determinism  -  The  outputs  of  an  execution  of  the  operation  depend 
only  on  the  inputs  to  that  execution. 

b.  Finite  delay  -  Once  initiated,  an  execution  of  the  operation  must 
terminate  within  a  finite  time. 

It  is  significant  that  all  of  these  models  assume  that  any  operation 
used  in  a  program  satisfies  these  properties.  As  a  consequence,  most 
models  choose  to  abstract  away  the  particulars  of  operations  by  defining 


-154- 


parallel  schemata.  A  schema  Is  a  program  with  all  Instructions  replaced 
by  operators .  An  operator  differs  from  an  instruction  in  that  it  has  an 
abstract  operation  symbol  in  place  of  a  specific  operation.  That  is, 
where  an  instruction  in  a  program  has  an  operation  like  addition,  the 
corresponding  operator  in  a  schema  might  have  the  symbol  '  f'.  Study  of 
schemata  has  led  to  the  discovery  of  sufficient  conditions  for  their 
determinacy  (the  Determinate  Schema  Axioms,  presented  in  Section  6.2). 

If  a  schema  is  determinate,  then  any  program  obtained  by  replacing  each 
abstract  operation  symbol  with  a  specific  operation  is  also  determinate 
(assuming  that  the  specific  operation  is  deterministic  and  has  finite 
delay) . 

This  has  been  the  main  thrust  of  abstraction  in  the  past:  going  from 
concrete  programs  to  schemata,  which  have  concrete  memory  and  control 
structures  but  abstract  operations.  With  one  exception  (noted  shortly), 
there  has  never  been  an  attempt  to  Instead  abstract  away  both  the  memory 
and  control  portions.  It  has  apparently  always  been  felt  that  it  is  more 
challenging  to  verify  the  Determinate  Schema  Axioms  for  a  particular 
concrete  memory/control  structure  than  to  verify  determinism  and  finite 
delay  for  a  particular  operation.  Therefore,  most  of  the  previous  models 
were  directed  toward  devising  a  general  form  for  memory  and  control  which 
(1)  is  "practical",  for  programming  and/or  implementation,  and  (2)  makes 
it  easy  to  identify  the  schemata  in  that  form  which  satisfy  the  Determinate 
Schema  Axioms. 

This  thesis  presents  a  different  challenge  in  guaranteeing  determin¬ 
acy.  It  is  assumed  that  programs  will  be  written  using  any  schema  form 
which  has  been  (or  will  be)  developed.  This  means  that  the  problem  of 
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Identlfylng  which  programs'  memory  and  control  structures  satisfy  the 
Determinate  Schema  Axioms  Is  not  of  Interest.  Rather,  the  concern  here  Is 
for  defining  useful  non-determinlstic  operations  In  such  a  way  that  it  Is 
still  easy  to  identify  determinate  programs.  This  change  in  focus  calls 
for  a  radically-dif ferent  model  of  parallel  programs,  one  with  abstract 
memory  and  control,  but  concrete  operations.  What  is  unusual  about  this 
new  entry-execution  model  is  not  the  principle  of  abstraction,  but  the 
particular  choice  of  aspects  to  be  abstracted. 

An  increased  emphasis  on  the  definitions  of  operations  is  evident 
in  the  efforts  of  [3],  [22],  and  [27]  to  specify  the  semantics  of  a 
schema  language  without  using  an  interpreter.  These  researches  defined 
an  operator  as  a  function  from  the  vector  of  sequences  of  tokens  appearing 
on  its  input  arcs  to  a  vector  of  sequences  of  tokens  appearing  on  its 
output  arcs  (necessary  to  handle  the  gates,  which  do  not  always  consume 
input  tokens  and  produce  output  tokens) .  This  new  tool  is  not  relevant 
to  the  problem  under  consideration  here,  however,  because  of  the  following 
two  characteristics: 

1.  The  concept  was  developed  in  an  attempt  to  specify  the  (possibly- 
partial)  function  from  program  inputs  to  outputs  realized  by  a 
program  which  is  known  to  be  functional  and  well-behaved. 

2.  It  allowed  defining  operators  for  which  the  outputs  of  an  execution 
depend  on  the  sequence  of  past  inputs  to  that  operator  (rather  than 
on  just  the  current  inputs) . 

But  the  concern  here  is  for  deciding  whether  or  not  a  program  is  function 
functional,  given  that  it  contains  operators  the  outputs  of  which  may 
depend  on  the  sequence  of  past  inputs  to  other  operators  as  well. 
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Closest  in  spirit  to  the  approach  taken  here  is  that  of  Greif  in  her 
thesis  on  the  semantics  of  communicating  parallel  processes  [19];  the 
similarities  extend  to  the  definition  of  a  Structure-as-Storage  model,  and 
so  a  detailed  comparison  has  been  deferred  to  the  end  of  Section  5.1.  Her 
work  was  based  on  the  "actor  model",  the  only  well-known  effort  to  abstract 
away  control  and  local-memory  structures.  Actors  also,  however,  abstract 
away  the  concept  of  a  program  as  a  fixed  set  of  instructions,  which  was 
undesirable  for  the  present  purposes. 

4.2  Definition 

An  entry-execution  model  differs  from  a  schema  model  in  two  major 
regards:  (1)  The  abstract  programs  bear  no  resemblance  to  real  programs. 
(2)  Computations  are  sequences  of  events  other  than  initiations  and  termin¬ 
ations  of  executions.  These  differences  will  be  motivated  here  during  the 
top-down  definition  of  the  general  form  of  an  entry-execution  model. 

The  top  level  establishes  the  undefined  concepts  which  will  be  needed: 

Definition  4.2-1  An  entry-execution  model  of  a  language  is  a  five-tuple 

(V,  L,  A,  In,  E) 

where 

V  is  an  atomic  value  domain 

L  is  a  set  of  labels  , 

A  is  a  domain  of  primitive  actions 

In  is  a  function  assigning  to  each  action  in  A  an  Integer, 
its  input  arity 

£  is  a  set  of  expansions,  defined  below 


A 
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The  set  V  of  values  is  arbitrary,  but  must  be  made  explicit  in  order  for 
the  notion  of  determinacy  to  make  sense.  The  model  also  retains  the  idea 
that  a  program  contains  instructions  which  have  actions  (e.g..  Select, 
add,  merge)  associated  with  them.  Each  instruction  in  a  program  must 
be  uniquely  identified  by  a  label  from  L.  Each  action  associated  with 
any  instruction  must  be  in  the  set  A.  Furthermore,  an  execution  of 
instruction  d  must  have  a  number  of  inputs  equal  to  the  input  arity  of 
the  action  associated  with  d.  L  is  the  only  one  of  these  entities 
which  is  abstract;  the  determinacy  of  a  program  does  not  depend  on  the 
particular  labels  on  the  instructions.  It  does  however  depend  on  the 
exact  definition  of  at  least  some  actions  (the  structure  operations), 
as  well  as  on  their  input  arities.  It  is  obvious  how  V,  L,  A,  and  In 
would  be  chosen  in  modeling  a  data-flow  language. 

4.2.1  The  Abstract  Programs 

When  the  specific  operations  are  abstracted  away  from  a  program, 
the  result  is  a  schema.  When  the  specific  memory  and  control  structures 
are  abstracted  away  from  a  program,  the  result  is  an  expansion: 

Definition  4.2-2  Given  a  model  (V,  L,  A,  In,  £),  each  expansion  in  £ 
is  an  ordered  pair  (In t,J)  where 

Int  is  an  interpretation,  an  ordered  triple  (St,  /,IE)  in  which 

St  c  L, 

/:  St  -*■  A,  and 

IE  is  a  set  of  executions  (defined  below). 
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and  J  is  a  set  of  jobs  for  Int,  also  defined  below. 

A 

An  expansion  retains  none  of  the  structure  of  a  program  that  a  schema 
does.  This  is  the  first  distinctive  feature  of  the  entry-execution  model. 
An  expansion  is  as  useful  an  abstraction  as  a  schema  is,  however,  as  the 
following  argues. 

A  parallel  program  P  determines  a  set  of  jobs.  "Job"  here  connotes 
the  set  of  possible  computations  by  P  on  a  distinct  program  input.  Thus 
each  possible  input  to  P  gives  rise  (in  principle)  to  a  different  job. 

In  a  schema  model,  each  possible  distinct  input  to  P  corresponds  to  a 
different  equivalence  class  of  initial  states  for  the  memory  and  control 
portion  of  P.  Whenever  desired,  this  compact  initial-state  representation 
can  be  expanded  into  a  job,  by  generating  all  possible  sequences  of 
applications  of  the  state-transition  rule  starting  in  one  of  those 
initial  states. 

In  the  entry-execution  model,  there  is  no  concept  of  state,  and 
hence  no  state-transition  rule  to  apply.  Jobs  are  still  of  interest, 
because  ultimately  determlnacy  is  a  property  of  jobs.  But  their  derivation 
through  specific  state  transitions  is  not  of  interest.  Therefore,  the 
details  of  memory  and  control  are  abstracted  away  from  a  program,  leaving: 

1.  a  set  of  instruction  labels  (St), 

2.  an  association  of  actions  with  these  labels  (/), 

3.  a  distinguished  set  of  executions  (IE)  whose  outputs  will  be  used 
to  model  the  program's  inputs,  and 

4.  the  set  of  jobs  resulting  from  expanding  each  equivalence  class  of 
initial  states  for  the  program  (J) . 
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Thls  abstract  program  will  be  known  here  as  an  expansion.  If  an  expansion 
Is  determinate,  then  any  program,  with  any  explicit  memory  and  control 
structure,  which  yields  that  expansion  is  also  determinate.  This  is  the 
same  spirit  in  which  the  determinacy  of  programs  is  implied  by  the 
determinacy  of  schemas. 

The  next  definition  clarifies  the  point  that  a  job  is  not  an 
arbitrary  set  of  computations. 

Definition  4.2-3  Given  an  interpretation  Int,  a  job  for  Int  is  a  set 
of  computations  for  Int  (defined  later.) 

A 

Qualifying  a  computation  as  being  "for  Int",  where  Int  «  (St,  /,IE), 
essentially  just  specifies  that 

1.  all  executions  are  of  instructions  having  labels  in  St,  and 

2.  each  execution  of  an  instruction  labelled  d  has  the  proper  number 
of  inputs  for  the  action  /(d) . 

The  conceptual  significance  of  a  job  is  that  it  represents  all 
computations  by  a  program  on  "the  same  input".  Any  precise  character¬ 
ization  of  a  job  then  necessarily  makes  reference  to  the  set  of  input 
values  of  a  program.  In  a  standard  schema  model,  these  are  just  the 
contents  of  a  designated  subset  of  locations  in  the  memory  structure  of 
an  initial  state.  In  the  entry-execution  model,  however,  there  is  no 
memory  structure.  Instead,  these  program  inputs  will  be  modeled  as  the 
outputs  of  certain  executions:  those  in  the  designated  set  IE  in  the 
interpretation  associated  with  the  program.  These  executions  will  in 


general  be  dummies,  l.e.,  not  "real"  executions  of  instructions  in  the 
program.  This  artifice  is  best  illustrated  by  example,  as  in  the  entry- 
execution  model  of  a  data-flow  language  (cf.  Definition  4.3-1  below). 

The  determination  of  which  sets  of  program  input  values  constitute 
"the  same  input"  to  a  program  is  highly  language-dependent;  consequently, 
including  any  further  constraints  here  in  the  general  definition  of  a  job 
may  render  interesting  languages  Incapable  of  being  modeled.  The  argument 
for  this  claim  is  deferred  until  after  the  completion  of  the  definition 
of  a  model. 

4.2.2  The  Computations 

The  second  distinctive  feature  of  the  entry-execution  model  is  its 
definition  of  a  computation.  The  most  Important  criterion  in  designing 
this  is  that  there  be  a  concise  definition  of  determinacy  for  a  set  of 
computations.  A  crude  expression  of  a  suitable  notion  has  already  been 
given,  in  terms  of  the  schema  model  of  data  flow,  as  the  five  Determinacy 
Assertions  (Section  3.1.2).  A  principal  source  of  clumsiness  in  those 
assertions  was  the  frequent  occurrence  of  the  phrase  "the  j^  firing  of 
actor  d";  consequently,  the  entry-execution  model  offers  a  more  concise 
denotation: 

Definition  4.2-4  Given  a  model  (V,  L,  A ,  In,  £),  an  execution  is  an 
ordered  pair  consisting  of  a  label  d€L  and  a  positive  integer  k,  written 

Ex(d,k) 

In  an  entry-execution  model  of  a  data-flow  firing  sequence,  Ex(d,k) 
denotes  the  k^  firing  of  the  actor  labelled  d. 


A 
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The  Determinacy  Assertions  also  make  reference  to  the  value  of  a 
particular  Input  to  a  particular  firing,  and  to  the  direct  transfer  of 
that  input  from  an  output  of  some  other  firing.  Appropriately,  then,  a 
computation  in  the  entry-execution  model  is  a  sequence  of  entries,  each 
representing  the  transfer  of  a  single  atomic  value  from  an  output  of  a 
source  execution  to  an  input  of  a  destination  execution: 

Definition  4.2-5  Given  a  model  (V,  L,  A,  In,  E) ,  a  source  is  an  ordered 
pair  consisting  of  an  execution  e  and  a  positive  integer  i,  written 

Src(e,i) 

A  destination  is  an  ordered  pair  consisting  of  an  execution  e  and 
a  positive  integer  j,  written 

Dst(e.j) 

A  transfer  is  an  ordered  pair  (s,d),  where  s  is  a  source  and  d  is 
a  destination. 

An  entry  is  an  ordered  pair  consisting  of  a  transfer  and  an  atomic 
value  from  V.  If  f  is  an  entry,  then  T(f)  denotes  the  transfer  component 
of  f  and  V(f )  denotes  the  value  of  f.  Letting  the  transfer  of  f  be 

(Src(e1>i) ,  Dst(e2,j)) 

f  is  an  output  entry  of  execution  e^,  and  is  the  j  ^  input  entry  of 
execution  e2«  The  target  execution  of  f  is  e2- 

A 

The  appearance  of  an  entry  with  transfer 

(Src(Ex(dltkj)  ,i)  ,  Dst(Ex(d2>k2) ,  j)) 
and  value  v  in  a  computation  modelling  a  firing  sequence  &  means  that: 

The  value  of  the  number-j  input  to  the  k^  firing  of  actor  d2  in  2  was 
v,  and  was  produced  as  the  number-i  output  of  the  k^  firing  of  d^. 
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The  set  of  entries  constituting  a  computation  must  satisfy  certain  obvious 
constraints  in  order  to  be  a  reasonable  model: 

Definition  4.2-6  Given  a  model  (V,  L,  A,  In,  £)  and  an  interpretation 
Int  *  (St,  /,IE)  in  some  expansion  in  £,  a  computation  for  Int  is  a 
(possibly  infinite)  sequence  of  entries 


satisfying  the  following: 

1.  Let  e  »  Ex(d,k)  be  any  execution  of  which  there  is  either  an  input 
entry  or  an  output  entry  in  co.  Then  dfST,  and  there  are  at  most 
In(/(d))  input  entries  to  e  in  co.  If  co  contains  exactly  In(/(d)) 
input  entries  of  e,  then  e  is  initiated  in  co  (with  respect  to  Int) , 
and  the  last  such  input  entry  in  <o  is  the  initiating  entry  of  e. 

2.  The  destinations  of  the  transfers  of  the  entries  in  co  are  all 
distinct  (i.e.,  for  each  j ,  an  execution  has  at  most  one  number-j 
input  entry  in  co) . 

3.  For  any  source  s,  denote  by  OE  (s)  the  set  of  entries  in  co  whose 

co 

transfers  have  source  s.  Then  all  entries  in  OE  (s)  have  the  same 

co 

value .  This  common  value  is  the  value  of  source  s^  (in  co) . 

A 

Of  the  five  Determlnacy  Assertions ,  only  the  third  and  fifth  concern 
pointers  or  structure  operations;  thus  the  first,  second,  and  fourth 
together  define  determlnacy  of  a  program  having  no  structure  operators. 

The  following  statement,  which  is  as  strong  as  those  three  assertions, 
illustrates  the  conciseness  of  expression  possible  in  the  entry-execution 


model: 
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Given  an  expansion  (Int,J),  for  any  J€J,  every  halted  computation 
in  J  contains  exactly  the  same  set  of  entries. 

This  is  the  definition  of  a  determinate  expansion  in  the  absence  of 
structure  operators  (the  complete  definition  may  be  found  in  Section  6.1). 
It  is  claimed,  without  proof,  that  any  data-flow  program  P  whose  expansion 
is  determinate  must  satisfy  the  five  Determinacy  Assertions;  it  is  proven 
(in  Chapter  7)  that  P  is  at  least  functional.  The  ease  of  defining 
determinacy  illustrates  the  benefits  of  choosing  entries  as  the  events  in 
computations,  which  choice  was  the  second  major  departure  from  the  schema- 
model  norm. 

It  has  been  claimed  that  an  exact  description  of  the  set  of  compu¬ 
tations  by  a  single  program  on  a  single  input  (i.e.,  of  a  job)  is  highly 
language-dependent.  This  is  easily  seen  by  comparing  the  appropriate 
descriptions  for  data-flow  languages  with  and  without  structure  operators. 
In  an  entry-execution  model  of  any  data-flow  language  (as  constructed  in 
Section  A. 3),  the  value  of  the  token  on  each  program  input  arc  is  repre¬ 
sented  as  the  value  of  a  distinctive,  fixed  entry;  call  the  entry  repre¬ 
senting  the  number-i  program  input  the  "number-i  program  input  entry". 

In  the  model  of  a  data-flow  language  without  structure  operators  (such 
as  Lg) ,  a  job  is  easily  characterized:  Two  program  inputs  are  equal  iff 
they  are  identical;  hence,  for  any  i,  the  number-i  program  input  entries 
in  all  computations  in  a  job  must  have  the  same  value.  In  the  model  of  a 
language  with  structure  operators,  however,  this  constraint  applies  only 
to  those  program  input  entries  whose  values  are  not  pointers.  The  values 
of  pointer-valued  program  input  entries  are  arbitrary,  as  shown  next. 


Letting  p  be  any  pointer  which  la  on  a  program  Input  arc  in  some 
initial  state,  for  any  other  pointer  q  there  is  an  equal  initial  state 
in  which  that  arc  has  q  on  it.  Those  two  initial  atates  represent  the 
same  program  input.  The  set  of  all  computations  by  that  program  on  that 
input  is  a  Job  .t.  Therefore,  there  will  be  in  .1  some  computations  in 
which  the  corresponding  program  input  entry  has  value  p,  and  others  in 
which  that  entry  has  value  q.  Since  this  statement  is  true  for  any 
pointers  p  and  q,  every  pointer  appears  as  the  value  of  that  program  input 
entry  in  some  computation  in  J.  Titus  it  is  seen  that  any  attempt  to 
develop  a  non-trivlal  characterisation  of  "the  same  input"  which  is  valid 
in  the  models  of  all  interesting  languages  is  ill-advised. 

This  completes  the  presentation  of  the  general  form  of  an  entrv- 
exacution  model  of  a  programming  language.  This  model  was  motivated  bv 
the  desire  to  make  the  results  of  the  thesis  applicable  to  as  wide  a 
range  of  languages  as  possible.  To  this  end,  the  memory  and  control 
port  tons  are  abstracted  away  from  a  program,  to  focus  on  the  definitions 
of  the  operations.  The  resulting  abstract  program  looks  radically 
different  from  a  schema,  in  ways  which  have  been  pointed  out. 

The  merits  of  this  model  can  he  Judged  only  on  the  basis  of  (1)  how 
easily  results  sre  stated  In  its  terms,  and  (2)  bow  easily  they  are  then 
applied  to  different  languages.  Rv i deuce  on  the  first  of  these  Issues  may 
be  found  In  Chapters  5  and  6,  and  on  the  second  In  Chapter  7.  The 
remaining  section  of  this  chapter  constructs  a  model  of  data-flow 
languages.  The  current  section  now  concludes  with  some  useful  properties 
of  entry-execution  models  and  an  algorithm  for  producing  pictorial 
representations  of  computations. 
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4.2.3  Properties 

The  following  defines  two  properties  which  will  be  assumed  to  hold 
for  all  models  of  Interest. 

Definition  4.2-7  A  computation  co  is  causal  (with  respect  to  interpretation 
Int)  Iff  the  following  is  true  for  any  execution  e:  For  any  prefix  af  of 
to  in  which  f  is  an  output  entry  of  e,  e  is  initiated  in  a  (wrt  Int). 

A  computation  to  in  a  job  J  is  halted  in  J  iff  it  is  a  proper  prefix 
of  no  other  computation  in  J.  A  job  J  has  the  Prefix  Property  iff  for 
every  to  in  J,  every  prefix  of  to  is  in  J. 

A 

Causality,  while  not  strictly  essential,  greatly  simplifies  the  proofs 
developed  later;  it  is  proven  shortly  that  all  computations  in  a  model  of 
data  flow  are  causal.  Similarly,  a  job  could  include  only  halted  compu¬ 
tations.  But  the  Prefix  Property  allows  writing,  for  example,  "if  co  is 
in  J,  then  so  is  cof,"  instead  of  "if  co  is  a  prefix  of  some  computation  in 
J,  then  so  is  cof."  For  convenience,  then,  both  causality  and  the  Prefix 
Property  are  assumed  in  the  general  proof  of  determinacy  in  Chapter  6. 
Finally,  the  following  notational  conventions  will  be  observed: 

1.  Roman  letters  (f,  g,  h,  k)  will  be  used  to  denote  single  entries, 
while  Greek  letters  (co,  a,  p,  ...)  will  be  used  to  denote  sequences 
of  zero  or  more  entries. 

2.  Given  a  computation  co,  Ent  (e,j)  denotes  that  unique  entry  in  co 

co 

whose  transfer  has  destination  Dst(e,j).  When  co  is  understood,  the 
subscript  may  be  omitted. 

3.  Given  an  interpretation  (St,/, IE),  execution  Ex(d,k)  for  any  d(St 
and  any  k  is  an  execution  of  the  action  /(d). 

I 
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4.2.4  Pictorial  Representation 

The  relationships  among  the  entries  and  executions  of  a  computation 
can  be  depicted  as  a  directed  graph.  The  nodes  of  the  graph  represent 
executions  and  the  branches  represent  entries.  The  branches  terminating 
on  a  node  n  represent  the  input  entries  of  the  execution  e  represented 
by  n,  and  the  branches  leaving  n  represent  e's  output  entries. 

Algorithm  4.2-1  To  construct  an  entry-execution  graph  for  computation  co: 

1.  Initialize  an  entry  counter  EC  to  1. 

2.  For  each  entry  f  in  u  in  order:  Let  T(f)  ■  (SrcCe^.i) .DstCe^.j)) 

and  let  V(f)  ■  v. 

a)  If  there  is  no  node  labelled  with  e^^  (or  in  the  graph  yet, 
add  an  open  figure  (e.g.  a  circle)  with  e^  (or  written 
inside  it. 

b)  Draw  a  directed  branch  from  the  node  labelled  with  e^  to  the 
node  labelled  with  .  Write  1  beside  the  tail  of  this  branch 
and  j  beside  its  head. 

c)  Label  the  branch  (distinctively)  with  atomic  value  v  and  with 
EC.  Increment  EC  by  1. 

A 
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4.3  An  Entry-Execution  Model  of  Data-Flow  Languages 

This  section  first  presents  an  algorithm  for  deriving  the  entity 
EE(L,I)  from  any  data-flow  language  L  and  interpreter  I.  It  then  proves 
some  important  properties  of  EE(L,I),  including  that  it  is  indeed  an 
entry-execution  model .  This. serves  two  purposes:  (1)  it  is  a  specific 
example  of  the  construction  of  a  model,  and  (2)  it  is  the  first  step  in 
applying  the  results  of  the  thesis  to  the  data-flow  language  on  the 
modified  interpreter  M.  The  latter  process  was  outlined  at  the  start  of 
this  chapter.  The  algorithm  presented  here  figures  prominently  in  several 
steps  of  the  proof:  It  is  used  in  Chapter  7  to  prove  that  EEd^.M)  is  a 
Structure-as-Storage  model  satisfying  the  Determinacy  Axioms.  The  result 
of  Chapter  6  then  applies,  saying  that  every  expansion  in  ££(1^^)  is 
determinate.  Finally,  the  algorithm  is  used  to  prove,  from  this  result, 
that  every  program  in  is  functional  when  run  on  M. 

4.3.1  The  Construction  of  EE(L,I) 

The  steps  in  constructing  EE(L,I)  are  first  presented  informally: 

1.  For  each  initial  state  S  of  a  program  P,  and  firing  sequence  2 
starting  in  S,  construct  the  canonical  computation  r)(S , 2) ,  using 
Algorithm  4.3-1  below.  Inr)(S,2)»  there  is  an  entry  for  each  token 
appearing  on  an  arc  in  P  in  the  course  of  2,  and  the  entries  are 
arranged  in  the  order  of  the  removal  of  their  corresponding  tokens. 

2.  Construct  Jc  as  a  constrained  set  of  permutations  of  rj(S,2). 

J_  contains  all  halted  computations  which  model,  in  a  sense 

o  ,8 

described  later,  the  firing  sequence  2. 

3.  Construct  the  set  consisting  of  all  prefixes  of  all  computations  in 
Jg  g.  Every  computation  in  this  set  models  2,  and  the  set  satisfies 
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the  Prefix  Property. 

4.  Repeat  steps  1,  2,  and  3  for  all  firing  sequences  &  starting  in  all 
initial  states  in  the  equivalence  class  E  containing  S.  The  job 

J  is  the  union  of  all  the  sets  of  computations  produced  in  this 
manner . 

5.  Repeat  steps  1  through  4  for  all  equivalence  classes  of  initial 
states  of  program  P.  The  set  J  of  jobs  produced,  together  with  an 
interpretation  for  P,  is  the  expansion  corresponding  to  P. 

6.  Repeat  step  1  through  5  for  all  programs  in  the  language  L.  This 
generates  the  set  of  expansions  E,  which,  together  with  appropriate 
domains  of  values  and  actions,  constitutes  EE(L,I). 

The  formal  definition  of  EE(L,I)  is  presented  next,  in  a  top-down 
fashion  paralleling  the  general  description  of  an  entry-execution  model. 
Each  definition  given  below  is  followed  by  an  explanation. 

Definition  4.3-1  Given  a  data-flow  language  L  and  interpreter  I,  EE(L,I) 
is  the  five-tuple 

(V,  L,  A,  In,  £) 

where 

V  is  the  atomic  value  domain  of  L 

L  m  WUDL,  where  W  is  the  universe  of  labels  in  L,  and 
DL  -  {"ID",  "IT",  "IF" }U ( WU { "OD" }) xN 

where  N  is  the  set  of  natural  numbers,  and  none  of 
"ID",  "IT",  "IF",  and  "OD"  is  in  W 
A  is  the  set  of  actor  types  in  L,  plus  the  distinctive  1G  and  OA 
actions  (described  below) . 


> 


In  assigns  zero  to  IG,  one  to  OA,  and  to  every  other  actor  type  in 
A  assigns  the  number  of  input  tokens  which  that  type  removes 
at  each  firing 

E is  the  set  containing,  for  each  program  P  in  L,  the  expansion  of 
P,  defined  below. 

A 

IG  is  the  initial-value  generating  action,  and  OA  is  the  output-accepting 
action.  These  are  distinctive  in  that  they  are  not  associated  with  any 
actors  in  any  program  in  L.  IG  is  needed  because,  as  noted  earlier, 
initial  values  in  the  memory  structure  of  a  program  must  be  modeled  as 
the  outputs  of  executions.  Since  in  data  flow,  these  values  are  not 
outputs  of  real  executions,  dummy  executions  must  be  created.  The  dummy 
executions  Ex(IT,0),  Ex(IF,0),  and  Ex(ID,0)  will  act  as  sources  of  initial 
true,  false,  and  program  input  tokens  respectively;  consequently,  these 
three  executions  constitute  the  set  IE  in  all  interpretations.  Each  of 
these  is  an  execution  of  the  distinctive  action  IG.  Since  In(IG)  «  0, 
none  of  these  three  dummy  executions  will  have  any  input  entries. 

OA  is  the  action  of  another  set  of  dummy  executions.  These  will  be 
used  to  model  the  program  output  tokens.  Each  execution  of  the  OA  action 
will  be  Ex((c,j) ,0) ,  where  c  is  either  the  label  of  an  actor  or  the 
distinctive  label  "OD”,  and  j>0.  These  composite  labels  (c,j)  allow 
associating  a  unique  such  execution  with  every  arc  b  in  a  program,  by 
the  following  correspondence: 

If  b  la  the  number- j  input  arc  of  the  actor  labelled  d,  then  the 


associated  dummy  execution  is  Ex((d,j),0) 


Otherwise,  b  is  the  number- j  program  output  arc,  for  some  j,  in  which 


case  the  associated  dummy  execution  is  Ex((OD, j) ,0) . 

Since  In(QA)  -  1,  each  such  execution  e  will  have  exactly  one  input  entry 
in  all  computations,  with  destination  Dst(e,l). 

As  will  be  seen,  every  entry  in  a  computation  whose  target  is  not 
one  of  these  dummy  executions  models  the  removal  of  some  unique  token  by 
a  firing  of  a  real  actor.  Without  these  dummy  executions,  therefore, 
there  would  be  no  entries  modeling  the  tokens  left  in  the  final  state 
after  a  halted  firing  sequence.  But  these  are  just  the  tokens  which 
matter  in  determining  if  two  such  final  states  are  equal,  i.e.,  if  the 
program  is  functional.  Having  these  added  entries  makes  it  much  easier 
to  prove  that  only  a  functional  program  can  give  rise  to  a  determinate 
expansion. 

The  destinations  in  the  transfers  of  the  entries  modeling  tokens 
left  in  a  final  state  are  all  distinct,  as  required.  This  is  done  by 
making  each  such  destination  be  Dst(e,l)  where  e  is  a  unique  execution 
of  the  QA  action.  It  may  seem  that  a  neater  choice  would  be  to  have  each 
destination  be  Dst(e,j)  where  e  is  a  common  execution  of  OA  but  the 
integers  j  are  distinct.  This  is  not  possible  for  two  reasons: 

1.  In  order  to  associate  each  distinct  destination  with  an  arc,  a 
program  would  have  to  include  a  numbering  of  all  the  arcs,  which 
it  does  not. 

2.  There  would  be  an  indefinite  number  of  input  entries  to  the  common 
execution  e,  violating  the  requirement  that  there  is  a  maximum 
number  In(OA)  of  such  entries  in  all  computations. 


fc*;  J 


-171- 


In  general,  an  action  has  an  Input  arlty  equal  to  the  number  of 
Input  arcs  of  any  actor  with  which  It  Is  associated.  The  only  exception 
Is  the  merge  gate,  which  always  removes  two  tokens  from  Its  three  Input 
arcs;  Its  Input  arlty  is  therefore  two. 

Definition  4.3-2  (Expansion  of  P)  Given  a  data-flow  language  L,  let  P  be 
any  program  in  L.  Then  the  Interpretation  of  P,  Int(P),  is  (St,/, IE), 
where  St  is  the  set  of  labels  of  the  actors  in  P,  plus  the  label  set  DL 
/:  St  -+■  A  assigns  to  each  label  of  an  actor  in  P  the  type  of  that 
actor,  assigns  the  action  IG  to  each  of  the  labels  "ID",  "IT", 
and  "IF",  and  to  every  other  label  in  DL  assigns  the  action  OA 
IE  -  {Ex(ID, 0) ,  Ex(IT,0),  Ex(IF,Q)> 

The  expansion  of  P  is  the  ordered  pair  (Int(P),J)  in  which  J  is  the 
set  of  jobs 

J  =  {Jg|  E  is  an  equivalence  class  of  initial  states  for  P} 
where  J£  is  the  job  for  E,  defined  below. 

A 

J  is  the  set  of  jobs  resulting  from  expanding  all  initial  states  of  some 
program.  Thus  the  ordered  pair  (Int(P),J)  is  the  type  of  abstract  program 
being  called  an  expansion. 

Definition  4.3-3  Given  an  equivalence  class  E  of  Initial  states  for  a 

data-flow  program  P,  the  job  for  E,  J_,  is  given  by 

E 
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Je  ‘  U  U  "<Js,a> 

Si E  2€FS(S) 

where  FS(5)  is  the  set  o£  all  halted  firing  sequences  starting  in  S 

it  takes  a  set  of  computations  into  the  set  of  all  their  prefixes 
J £  is  the  set  of  computations  for  S  and  2,  defined  below. 

A 

„  is  a  constrained  set  of  permutations  of  the  canonical  computation 

S 

r|(5,S2).  The  algorithm  for  constructing  t](5,2)  is  given  next,  followed  by 

the  definition  of  J„  _. 

5,2 

Algorithm  4.3-1  Given  an  initial  state  5  of  a  data-flow  program  P  and  a 
firing  sequence  2  starting  in  S,  this  algorithm  constructs  the  canonical 
computation  -n(5,a)  in  two  steps.  The  first  step  is  to  recursively 
construct  the  computation  co(5,£)  as  follows: 

Basis:  cd(5,\)  -  X. 

Induction  step:  For  firing  sequence 2<p,  in  which  the  last  firing  <p  is  of 

the  actor  labelled  d  in  P,  co(5,&p)  is  derived  from  co(£,2)  as  follows: 

Let  e  *  Ex(d,n),  where  2cp  has  exactly  n  firings  of  d.  Let 

a.,  a0,  ...,  a  be  the  input  arcs  of  d  from  which  tokens  are  removed  in 
l  /  m 

going  from  state  S' 2  to  5*Q<j),  arranged  in  the  order  imposed  on  them  by  P. 
Then  co(5,2cp)  is  the  concatenation 
co(5,2<p)  “  w(5,S2) 

where  each  entry  f^,  k  *  l,...,m,  is  specified  by: 

V(f^)  is  the  value  of  the  token  removed  from  arc  a^  (except  that  if 
that  value  is  tagged  pointer  (p,R)  or  (p,W),  V(ffe)  is  Just  p) . 

The  destination  of  the  transfer  T(f^)  is  Dst(e,j),  where  a^  is  the 
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number -j  input  arc  of  d. 

The  source  of  T(f^)  is  given  as  the  value  of  the  function 
Source (a^ ,5 , 2) ,  which  is  defined  next. 

The  value  of  Source(a,5,a)  for  any  arc  a  and  firing  sequence  &  starting 
in  state  5  depends  on  whether  or  not  the  token  on  a  in  S' a  was  on  that 
arc  in  S: 

1.  If  it  was,  then  a  is  either  a  program  input  arc  or  a  control  arc. 

a.  If  a  is  the  number-i  program  input  arc  of  P,  then 
Source(a,S,a)  =  Src(Ex(ID,0) ,i) . 

b.  If  a  is  a  control  arc,  then  Source(a,S,a)  =  Src(Ex(IT,0) ,1) 
or  Source(a,S,a)  »  Src(Ex(IF,0) ,1) ,  according  to  whether  the 
token  is  a  true  or  a  false  token. 

2.  Otherwise,  let  i  be  such  that  a  is  in  the  riumber-i  group  of  output 
arcs  of  actor  d'  in  P.  Then  Source (a, S, ffi)  *  Src(Ex(d' ,n') ,i) , 
where  there  are  exactly  n*  firings  of  d'  in  a. 

Now  ri(S,a)  is  defined  as: 

If  2  is  not  halted,  then  ri(S,a)  *  co(S,8). 

If  a  is  halted,  let  b^,  b^ . b^  be  the  arcs  of  P  which  hold 

tokens  in  the  final  state  S'  a.  Then  r](S,a)  is  the  concatenation 
rj(<S,a)  ■  ,8^)82*  •  •  • 

where  each  entry  g^,  h  -  l,...,r,  is  specified  by: 

V(g^)  is  the  value  of  the  token  on  arc  b^  in  the  final  state 
(except  that  if  that  value  Is  (p,R)  or  (p,W),  V(g^)  is  just  p). 
The  destination  of  the  transfer  T(gh>  is  Dst(e,l),  where 

execution  e  depends  on  whether  b^  is  a  program  output  arc  of  P: 


I 
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1.  If  is  the  munber-j  output  arc,  for  some  j,  then 
e  -  Ex((OD, j) ,0) . 

2.  Otherwise,  b.  is  the  number-j  input  arc  of  an  actor 
n 

labelled  d  in  P,  for  some  j,  and  e  ■  Ex((d,j),0). 

,5 ,  S2)  . 

A 

The  computation  oj(S,2)  is  simply  2  with  each  firing  <p  replaced  by  a 

th 

set  of  entries  describing  the  tokens  removed  by  <p.  If  (p  is  the  n  firing 
of  the  actor  labelled  d,  these  entries  all  have  as  a  common  target  the 
execution  Ex(d,n)  referring  to  <p.  Let  a^  be  an  arc  from  which  a  token  was 
removed  by  ip,  and  let  d'  be  the  actor  of  which  a^  is  an  output  arc.  Then 
the  token  removed  from  a^  by  <p  was  placed  there  by  the  firing  of  d1  in  2 
which  most  recently  preceded  <p.  The  execution  referring  to  that  firing  of 
d'  is  Ex(d',n'),  where  exactly  n'  firings  of  d'  precede  <p  in  2.  That 
execution  is  the  source  of  the  entry  describing  the  token  removed  from  a^ 
by  (p. 

The  canonical  computation  r](5,2),  for  a  halted  firing  sequence  2, 
supplements  co(S,2)  with  a  set  of  entries  describing  the  tokens  left  in  5*2. 
For  each  arc  b  holding  such  a  token,  there  is  an  entry  whose  source  is  the 
execution  referring  to  the  firing  which  placed  that  token  on  b.  The  target 
of  that  entry  is  the  unique  dummy  output  execution  associated  with  b. 
Therefore,  for  each  token  which  appears  in  the  course  of  2,  there  is  a 
uniquely- identifiable  entry  f  in  r](s,2) ,  and  V(f )  equals  the  value  of  that 
token;  this  is  true  even  if  that  token  is  not  removed  by  any  firing  in  2< 
The  canonical  computation  t)(5,2)  retains  almost  all  of  the  information 
contained  in  the  original  firing  sequence  2.  What  cannot  be  conveyed  by  a 


The  source  of  T(g^)  is  Source (bh 


satisfies  all  of  the  following  (given  lnt(P)): 

1.  $(P)  is  the  reduction  of  Q. 

2.  p  is  causal. 

3.  Let  af  be  any  prefix  of  p,  let  0  be  the  prefix  of  £  whose  reduction 
is  4>(a),  and  let  the  destination  in  T(f)  be  Dst(Ex(d,k) ,  j)  . 

a.  If  dfDL,  then  let  b  be  the  number-j  input  arc  of  the  actor 
labelled  d.  That  actor  is  enabled  In  £‘6,  and  if  it  is  a  merge 
gate  and  b  is  its  T  (F)  input  arc,  then  its  control  input  arc 
holds  a  true  (false)  token  in  £*6. 

b.  If  d(DL,  then  d  =  (c,n).  Let  b  be  the  number-n  program  output 
arc  of  P,  if  c  *  "OD",  or  else  the  number-n  input  arc  of  the 
actor  labelled  c.  Then  there  is  a  token  on  b  in  £’0,  and  if  c 
labels  an  actor,  there  is  no  firing  sequence  starting  in  £*e 
which  contains  a  firing  of  c. 

A 

The  last  constraint  in  this  definition  is  necessary  to  make  tractable  the 
proof  of  the  key  property  of  persistence.  A  full  discussion  of  its  signif¬ 
icance  is  provided  in  conjunction  with  that  proof  in  Chapter  7;  suggestions 
for  more  meaningful  alternative  specifications  are  given  in  Chapter  8. 

This  completes  the  definition  of  EE(L,I);  a  proof  that  EE(L,I)  is  an 
entry-execution  model  will  be  given  shortly.  First,  this  example  of  a 
specific  model  can  be  used  to  gain  an  appreciation  for  the  choice  of 
entries  as  the  events  in  computations. 

One  benefit  of  using  entries  has  already  been  illustrated  by  the 
particularly  compact  definition  of  a  determinate  expansion.  Recalling  the 
description  in  Section  4.1  of  earlier  models,  determinacy  usually  was 
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computacion  are  the  essentially-arbltrary  pointer-node  pairs  in  the  Copy 
firings  in  $2-  The  consequences  of  this  loss  of  information  are  explored 
at  length  in  Section  5.2.1.  Here  it  will  just  be  shown  that  from  r)(S,2) 
can  be  reconstructed  the  reduction  of  Q  (recall  from  Definition  2.4-5  that 
the  reduction  of  &  is  &  without  the  pointer-node  pairs) . 

Definition  4.3-4  Given  a  computation  a  and  an  interpretation  Int,  the 
firing  sequence  reconstructed  from  a  with  respect  to  Int,  $(a) ,  is  defined 
recursively  as  follows: 

Basis:  4>(\)  *  X. 

Induction  step:  $(af)  depends  on  whether  or  not  entry  f  is  the  initiating 
entry  in  af  (wrt  Int)  of  an  execution  e  ■  Ex(d,k)  for  any  d/(DL  and  any  k. 

If  not,  then  $(af)  *  4>(a)  .  If  so,  then  <f>(af)  *  $(a)(p,  where  cp  is  the 
firing  which  is  just  the  label  d. 

A 

InrjCS,2),  the  input  entries  of  an  execution  are  all  grouped  together. 
If  the  ntl1  firing  in  ffi  is  the  kth  firing  of  actor  d,  then  the  n1"*1  such 
group  in  t)CS,£)  are  input  entries  to  Ex(d,k).  This  execution  is  then  the 
nth  initiated  in  riCS'.a),  and  so  the  nth  firing  in  4>(-r) C?  ,S2) )  is  the  kth 
firing  of  d.  Hence,  'KrjCS' ,2))  ia  the  reduction  of  &• 

For  any  permutation  p  of  t)CS»2)  which  preserves  initiation  order  of 
executions,  4>(p)  will  also  be  the  reduction  of  ffi.  The  set  of  all  such 
permutations  which  are  causal  forms  the  basis  of 

Definition  4.3-5  Let  S  be  any  initial  state  for  a  data-flow  program  P,  and 
let  2  be  any  halted  firing  sequence  starting  in  S.  Then  the  set  ^  of 
computations  for  5  and  8  consists  of  each  permutation  p  of  t)(S,2)  which 
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deflned  as  the  equivalence  of  all  the  event  sequences  in  a  job,  where  each 
event  typically  was  either  the  initiation  or  the  termination  of  an  execu¬ 
tion.  Different  models  had  different  notions  of  equivalence,  but  there 
was  a  very  common  method  of  proving  determinacy.  This  technique,  which 
has  been  adapted  for  use  here  in  Chapter  6,  involves  a  great  deal  of 
manipulation  of  event  sequences: 

The  Determinacy  Proof  Technique  -  Prove  that  any  pair  of  event  sequences 
in  a  job  is  equivalent  by  transforming  one  into  the  other  through 
a  series  of  transpositions  of  adjacent  events.  Prove  that  each  of 
the  transpositions  takes  a  sequence  in  the  job  into  another 
sequence  coj  in  the  job  which  is  equivalent  to  co^. 

Event  sequences  are  general  enough  that  they  could  have  been  selected  as 
the  representation  of  computations  in  the  entry-execution  model.  The  cost 
of  such  a  choice  would  have  been  that  of  having  to  manipulate  an  auxiliary 
tabulation  of  the  input  and  output  values  of  each  execution  (in  order  to 
define  equivalence  in  the  absence  of  explicit  memory  structure) . 

EE(L,I)  demonstrates  the  definition  of  a  canonical  entry  sequence 
corresponding  uniquely  to  a  (reduced)  event  sequence.  It  will  always  be 
possible  to  construct  such  a  canonical  entry  sequence.  There  will  always 
be  a  method  analogous  to  Definition  4.3-4  to  reconstruct  the  unique  event 
sequence  from  each  canonical  computation.  The  cost  of  using  entry 
sequences  as  computations  is  that  of  having  to  reconstruct  reduced  event 
sequences  at  each  transposition  in  the  determinacy  proof.  This  was  judged 
to  be  the  more  efficient  alternative. 

This  argues  for  defining  a  job  J  in  EE(L,I)  as  the  set  of  canonical 
computations  derived  from  all  possible  firing  sequences  starting  in  all 
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initial  states  in  E.  But  J  actually  contains  many  non-canonlcal  permu- 
tations  of  these  computations.  This  is  because  transforming  one  canonical 
computation  into  a  different  one  requires  a  complex  permutation,  dependent 
on  the  exact  form  of  canonical  computation  peculiar  to  a  model.  To  base 
a  determlnacy  proof  on  such  a  complex  permutation  would  defeat  the  goal  of 
applicability  to  a  wide  range  of  models.  The  only  elementary  permutation 
which  can  be  used  repetitively  to  take  any  entry  sequence  into  any  other 
is  a  transposition  of  two  adjacent  entries.  This  imposes  the  requirement 
on  a  model  that  any  computation  in  a  job  can  be  transformed  into  any  other 
by  a  series  of  transpositions  such  that  all  intermediate  computations  are 
also  in  that  Job.  Accordingly,  Jobs  in  EE(L,I)  are  augmented  as  in 
Definition  4.3-5. 

4.3.2  Properties  of  Models  of  Specific  Data-Flow  Interpreters 

The  foregoing  has  defined  the  entity  EE(L,I)  for  any  data-flow 
language  L  run  on  any  interpreter  I.  The  rest  of  the  thesis  is  concerned 
with  the  models  of  various  data-flow  languages  run  on  two  specific 
Interpreters;  the  following  notation  will  be  used  to  differentiate  between 
these  Interpreters: 

For  any  data-flow  language  L: 

EE(L,S)  denotes  the  model  of  L  run  on  the  standard  interpreter,  and 
IE(L,M)  denotes  the  model  of  L  run  on  the  modified  interpreter. 
mi«  concluding  sub-section  develops  important  general  properties  common 
<>f  languages  run  on  either  of  these  Interpreters. 

•X*  first  property  is  that,  for  any  language  L,  EE(L,S)  and  EE(L,M) 
...  #* try-execution  models.  The  only  non-trivial  proof 
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requlred  Is  that,  for  every  program  P,  every  computation  In  every  job  from 
the  expansion  of  P  Is  a  computation  for  lnt(P).  Since  every  such  compu¬ 
tation  is  a  prefix  of  a  permutation  of  one  of  a  certain  set  of  canonical 
computations,  it  is  shown  first  that  all  of  those  canonical  computations 
are  computations  for  Int(P).  This  proof  requires  two  preliminary  results, 
of  wide  applicability,  which  are  separated  out  as  Lemma  4.3-1  next. 

Given  the  canonical  computation  rj(5,2)  for  any  initial  state  S  and 
firing  sequence  S2  starting  in  S,  the  following  is  apparent  from  Algorithm 
4.3-1:  the  appearance  in  -p(5,S2)  of  an  entry  with  value  v  whose  transfer 
has  destination  Dst(Ex(d,k) , j)  means  that  the  k*"*1  firing  of  d  removed  a 
token  of  value  v  from  d's  number-j  input  arc.  Lemma  4.3-1  proves  a 
symmetric  statement  about  the  significance  of  an  entry  with  value  v  whose 
transfer  has  source  Src(Ex(d,k) , j) .  Usually,  this  means  that  tokens  of 
value  v  were  placed  on  the  number-j  group  of  output  arcs  of  d  at  d's  k^ 
firing.  However,  this  may  not  be  strictly  true  if  d  is  a  Select  and  those 
outputs  were  withheld  on  the  modified  interpreter;  hence  the  weaker 
assertion  of  the  Lemma  below.  Also  shown  is  how  the  number  of  input 
entries  to  Ex(d,k)  in  t](S,S2)  is  related  to  the  number  of  firings  of  d  in  £>. 

Lemma  4.3-1  Let  S  be  any  initial  standard  or  modified  state  for  a  program 
P,  let  Q  be  any  firing  sequence  starting  in  S,  and  let  Int(P)  be  (St,/, IE). 
Then: 

A:  For  any  entry  f  in  ^(5,52),  let  the  source  in  T(f)  be  Src(Ex(d,k)  ,i) , 
and  let  V(f)  be  v.  If  d  is  in  St-DL,  then  there  is  a  prefix  A<p  of 
Q  containing  exactly  k  firings  of  d  such  that  tokens  of  value  v, 
(v,R),  or  (v,W)  appear  on  the  number-i  group  of  output  arcs  of  the 
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actor  labelled  d  in  P  at  the  transition  from  S'  A  to  S' bp. 

B:  For  any  execution  d  *  Ex(d,k),  if  d  is  in  St-DL,  then  the  number  of 
input  entries  to  e  in  r)(S,2)  or  in  a(S,2)  is  given  by 

0  if  there  are  fewer  than  k  firings  of  d  in  2 

In(/(d))  otherwise 


Proof: 

(1)  Let  b  be  any  arc  in  P,  and  let  0  be  any  prefix  of  2  such  that  there 

is  a  token  of  value  X  on  b  in  5*0.  Assume  b  is  in  the  number-i 
group  of  output  arcs  of  actor  d  and  there  are  exactly  k>0  firings 
of  d  in  0.  Let  Hcp^  be  the  prefix  of  2  in  which  (p^  is  the  kth 
firing  of  d.  Then  is  a  firing  sequence  starting  in  S,  and  so 
d  is  enabled  inS'S  Def.  2.3-1 

(2)  There  is  no  token  on  any  output  arc  of  d  in  S *S(1)+Defs.  3. 3-6+2. 1-4 

(3)  There  is  a  prefix  Acp  of  0  longer  than  S  -  i.e.,  containing  exactly 

k  firings  of  d  -  such  that  tokens  of  value  X  appear  on  the  number-i 
group  of  output  arcs  of  d  at  the  transition  from  S’A  to  S*A(p(l)+(2) 
Now  prove  that  A  and  B  are  true  with  co(£>2)  substituted  for  r|(S,2),  by 
induction  on  the  length  of  2. 

Basis:  |2 |  ■  0. 

(4)  wCS»2)  *  X,  which  has  zero  entries  Alg.  4.3-1 

(5)  A  is  vacuously  true  (4) 

(6)  For  any  d€St-DL.and  k>0,  there  are  fewer  than  k  firings  of  d  in  2» 

and  there  are  zero  input  entries  to  Ex(d,k)  in  bi(S,Sl)t  hence  B  (4) 
Induction  step:  Assume  A  and  B  are  true  for  co(?,2)  if  |2|  ■  n  and  con¬ 
sider  2  ■  6<p»  of  length  n+1,  in  which  the  last  firing  <p  is  of  actor  c. 


-181- 


Let  a  “  <o(S ,Q)  and  p  ■  co(S,(kp). 

(7)  Let  f  be  any  entry  which  is  In  p  but  not  in  a,  let  the  source  in 

T(f)  be  Src(Ex(d,k) ,i) ,  and  let  V(f)  be  v.  If  d€St-DL,  there  is 
a  token  of  value  v,  (v,R),  or  (v,W)  on  an  arc  in  the  number-i 
group  of  output  arcs  of  d  in  S '9,  and  there  are  exactly  k>0 
firings  of  d  in  0  Alg.  4.3-1 

(8)  A  is  true  for  f  (7)+(l)+(3) 

(9)  Since  A  is  true  for  all  f  in  a,  A  is  true  for  all  f  in  p 

(8)+ind.  hyp.  A 

(10)  Let  j  be  such  that  there  are  exactly  j  firings  of  c  in  0<p.  Then 

p  is  a  followed  by  m  input  entries  to  e  ■  Ex(c,j),  where  m  is  the 

number  of  c's  input  arcs  from  which  tokens  are  removed  in  the 
transition  from  5*0  to  5*0$  Alg.  4.3-1 

(11)  For  any  d*St-DL  and  k>0,  (d#c  v  k*j)  =»  there  are  fewer  than  k 

firings  of  d  in  0  iff  there  are  fewer  than  k  firings  of  d  in  0cp  A 

there  are  the  same  number  of  input  entries  to  Ex(d,k)  in  p  as 

in  a  (10) 

(12)  =»  B  for  d  and  k  ind.  hyp.  B 

(13)  There  are  fewer  than  j  firings  of  c  in  0  but  not  in  ©q>  (10) 

(14)  There  are  0  input  entries  to  e  in  a  (13)+ind.  hyp.  B 

(15)  There  are  m  input  entries  to  e  in  p  (10)+(14) 

(16)  m  -  In(/(d))  (10)+Defs.  4. 3-1+4. 3-2 

(17)  B  for  a>(5 ,0(p)  (12)+(13)+(15)+(16) 

Thus  it  is  proven  that  A  and  B  are  true  for  o>C?,&)  for  any  &.  Now  prove 

that  A  and  B  are  true  for  r)(S,&).  If  &  is  not  halted,  then 

•n(<S,S2)  ■  «a(5,8).  Assume  therefore  that  8  is  halted. 
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(18)  Let  a  ■  gj(S,2)  and  p  -  13(5,2).  Let  f  be  any  entry  in  p,  let 

Src(Ex(d,k) ,i)  be  the  source  in  T(f),  and  let  V(f)  ■  v.  If  f  is 
in  a,  then  A  is  true  by  the  above.  Assume  therefore  that  f  is  not 
in  a.  If  dfSt-DL,  then  there  is  a  token  of  value  v,  (v,R),  or 
(v,W)  on  an  arc  in  the  number-i  group  of  output  arcs  of  the  actor 
labelled  d  in  5*2,  and  there  are  exactly  k  firings  of  d  in  2 

Alg.  4.3-1 

(19)  A  for  f,  hence  for  all  entries  in  r](5,2)  (18)+(l)+(3) 

(20)  For  any  execution  Ex(d,k),  if  d€St-DL,  then  the  number  of  input 

entries  to  the  execution  in  p  is  the  same  as  in  a.  By  the  above, 
that  number  is  0  if  there  are  fewer  than  k  firings  of  d  in  2,  or 
In(/(d))  otherwise  Alg.  4.3-1 

A 

Now  it  can  be  shown  that  the  canonical  computations  used  to  generate 
the  computations  in  the  expansion  of  P  are  all  computations  for  Int(P) . 
Also  Important  to  note  is  that  any  canonical  computation  is  causal.  The 
proof  of  these  properties  is  not  very  enlightening,  and  so  has  been 
relegated  to  Appendix  C. 

Lemma  4.3-2  Let  S  be  any  initial  standard  or  modified  state  of  any 
program  P,  and  let  2  be  any  firing  sequence  starting  in  5.  Then  t](5,2) 
is  a  causal  computation  for  Int(P). 

A 

For  every  computation  a  in  a  job  from  the  expansion  of  program  P, 
there  is  an  initial  state  S  for  P  and  a  firing  sequence  2  starting  in  S 
such  that  the  set  of  entries  in  a  is  a  subset  of  those  in  r)(5,2).  Thus 
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it  Is  easy  to  show  from  the  above  that  a  Is  a  computation  for  Int(P),  and 
that  therefore: 

Theorem  4.3-1  Given  any  data-flow  language  L,  both  EE(L,S)  and  EE(L,M) 
are  entry-execution  models. 


Proof : 

(1)  The  entities  V,  L,  A,  and  In  in  both  EE(L,S)  and  EE(L,M)  satisfy 

the  corresponding  specifications  for  a  model  Defs.  4. 3-1+4. 2-1 

(2)  Let  E  be  the  set  of  expansions  from  either  EE(L,S)  or  EE(L,M),  and 

let  (Int,J)  be  any  ordered  pair  in  E.  Then  (Int ,«/)  corresponds 

to  a  program  P  in  L  Def.  4.3-1 

> 

(3)  Int  *  Int(P),  which  is  an  interpretation  Defs.  4. 3-2+4. 2-2+4. 3-1 

(4)  Let  J  be  any  job  in  J.  Then  there  is  an  equivalence  class  E  of 

initial  (standard  or  modified)  states  for  P  such  that  J  *  J£ 

Def.  4.3-2 

(5)  Let  a  be  any  computation  in  J.  Then  there  is  an  initial  (standard 

or  modified)  state  S€E  and  a  halted  firing  sequence  2  starting  in 
S  such  that  a  is  a  prefix  of  some  p  in  Def.  4.3-3 

(6)  p  is  a  permutation  of  r)(S,2),  so  the  set  of  entries  in  a  is  a  subset 

of  the  set  of  entries  in  r)(,S,Q)  (5)+Def.  4.3-5 

(7)  ti(S,2)  is  a  computation  for  Int(P)  ■  Int.  Let  Int  -  (St,  /,IE) 

f53+Lemma  4.3-2 


(8)  Let  e  •  Ex(d,k)  be  any  execution  of  which  there  is  either  an  input 
or  an  output  entry  in  o.  Then  there  is  an  input  or  output  entry 
of  e  in  r\(.St 8)  ^ 
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(9)  d €St  and  there  are  at  most  In(/(d))  Input  entries  to  e  in  t)(S,2)> 

hence  In  a  (8)+(7)+(6)+Def .  4.2-6 

(10)  The  destinations  of  the  transfers  of  the  entries  in  a  are  all 

distinct,  and  all  entries  whose  transfers  have  the  same  source 
have  the  same  value  (7)+(6)+Def.  4.2-6 

(11)  a  is  a  computation  for  Int  (8)+(9)+(10)+Def .  4.2-6 

(12)  J  is  a  job  for  Int  (5)+(ll)+Def .  4.2-3 

(13)  (Int ,J)  is  an  expansion  (4)+Def.  4.2-2 

(14)  E is  a  set  of  expansions,  so  EE(L,S)  and  EE(L,M)  are  entry-execution 

models  (2)+(13)+(l)+Def .  4.2-1 


A 

It  was  argued  briefly  earlier  that  the  firing  sequence  reconstructed 
from  any  canonical  computation  tj(S,2)  is  the  reduction  of  &.  The  follow¬ 
ing  Lemma  provides  a  rigorous  demonstration  of  this.  It  then  uses  that 
result  to  make  explicit  the  tacit  assumption  that  a  job  contains  all  of 
the  canonical  computations  used  to  generate  it. 


Lemma  4.3-3  For  any  data-flow  program  P,  let  S  be  any  initial  standard 
or  modified  state  for  P,  let  2  be  any  halted  firing  sequence  starting  in 
5,  and  let  Int(P)  be  (St,/, IE).  Then  the  firing  sequence  reconstructed 
from  T](S,fi)  wrt  Int(P) ,  <I>(t)(S,Q))  ,  is  the  reduction  of  2  and  r)(S»2)  is 

ln  JS,2* 

Proof:  All  initiations  and  reconstructions  are  with  respect  to  Int(P). 
(1)  Let  p  »  t)(S,2)  and  let  a  »  t](S,2).  Then  p  is  a  permutation  of 


r|(5,2)  and  p  is  a  followed  by  input  entries  to  executions  in  the 
set  {Ex(d,k)|  d€DL)  Alg.  4.3-1+Def.  4.3-1 
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(2)  $(P)  -  4>(a)  (1)+Def.  4.3-4 

Prove  by  Induction  on  the  length  of  the  prefixes  0  of  2  that  $(a)  is  the 
reduction  of  2. 

Basis:  |0|  «  0. 

(3)  coCS1,©)  ■  X,  the  empty  computation  Alg.  4.3-1 

(4)  <Hoo(S,0))  *  X,  which  is  the  reduction  of  0  (3)+Defs.  4. 3-4+2. 4-5 

Induction  step:  Assume  that  for  the  length-n  prefix  0  of  2,  n>0, 
<£(co(S,9))  is  the  reduction  of  0,  and  consider  prefix  Qtp  of  length  n+1,  in 
which  the  last  firing  <p  is  of  actor  d. 

(5)  Let  6  «  as(S,9)  and  y  **  6>C5>,0(p).  Then  y  is  6  followed  by  m  input 

entries  to  Ex(d,k),  where  (p  removes  m  tokens  Alg.  4.3-1 

(6)  m  =  In(  /(d))  (5)+Defs.  4. 3-2+4. 3-1 

(7)  Exactly  one  entry  which  is  in  y  but  not  in  6  is  the  initiating  entry 

of  an  execution,  and  that  execution  is  Ex(d,k)  (5)+(6)+Def .  4.2-6 

(8)  <Ky)  is  $(6)<p',  where  <p’  is  the  label  d  (7)+Def.  4.3-4 

(9)  $(6)  is  the  reduction  of  0 

(10)  The  reduction  of  0<p  is  the  reduction  of  0  followed  by  a  firing 

which  is  the  label  d  Def.  2.4-5 

(11)  $(y)  Is  the  reduction  of  ©<p  (8)+(9)+(10) 

Thus  it  is  proven  inductively  that 

(12)  $(t)(S,2))  •  f(p)  ■  4>(a)  is  the  reduction  of  2  (l)+(2) 

(13)  p  is  causal  wrt,  and  is  a  computation  for,  Int(P)  (1)+Lemma  4.3-2 

(14)  Let  yf  be  any  prefix  of  p  in  which  f  ■  Ent(e,j),  where  e  -  Ex(d,k) 

and  d€St-DL.  Then  f  is  in  a  (1) 

(15)  Let  A<p  be  the  shortest  prefix  of  2  such  that  f  is  in  coOS ,  Acp)  •  Then 
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<p  Is  a  firing  of  d,  and  every  entry  which  is  in  y  but  not  in 

to (5 , A)  is  an  input  entry  to  e  Alg.  4.3-1 

(16)  There  are  at  most  ln(/(d)>  input  entries  to  e  in  p,  so  there  are 

fewer  than  In(/(d))  in  y  (14)+(13)+Def .  4.2-6 

(17)  No  entry  which  is  in  y  but  not  in  co(S,A)  is  an  initiating  entry 

(16)+(15)+Def.  4.2-6 

(18)  <J>(y)  *  $(a)(S ,  A)  )  ,  which  is  the  reduction  of  A  (17)+(11)+Def .  4.3-4 

(19)  A  is  the  prefix  of  2  whose  reduction  is  $(y)  (18)+(15) 

(20)  d  is  enabled  in  S-A  (15)+Def.  2.3-1 

(21)  Let  yf  be  any  prefix  of  p  in  which  f  *  Ent(Ex(d,k) , j)  where  dfDL 

and  d  *  (c,n).  Let  b  be  the  number-n  program  output  arc  of  P,  if 

c  -  "OD",  or  else  the  number-n  input  arc  of  c.  Then  f  is  not  in 
a  and  there  is  a  token  on  b  in  5*2  (1)+Alg.  4.3-1 

(22)  a  is  a  prefix  of  y,  and  every  entry  which  is  in  y  but  not  in  a  is  an 

input  entry  to  an  execution  Ex(d',k')  where  d'fDL  (21)+Alg.  4.3-1 

(23)  $(y)  -  $(a)  (22)+Defs.  4. 2-6+4. 3-4 

(24)  2  is  the  prefix  of  2  whose  reduction  is  $(y)  (23)+(12) 

(25)  There  is  a  token  on  b  in  S’ 2,  and  since  2  is  halted,  there  is  no 

firing  sequence  starting  in  5*2  (21)+Def .  2.3-1 

(26)  p  is  in  J_  (l)+(12)+(13)+(14)+(19)+(20)+(21)+(24)+(25)+Def.  4.3-5 

D 

A 

By  the  construction  in  Algorithm  4.3-1,  the  integer  k  in  an  execution 
Ex(d,k)  serves  as  an  index  among  all  the  executions  of  d  initiated  in  a 
canonical  computation.  I.e.,  Ex(d,k^)  is  Initiated  before  Ex^kj)  only 
if  k^  <  k^ •  The  final  general  result  presented  here  is  that  this  indexing 
property  is  exhibited  by  all  computations.  An  intermediate  deduction  in 
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the  proof  will  be  needed  directly  In  Chapter  7;  for  convenience.  It  is 
here  separated  out  and  proven  first. 

Theorem  4.3-2  Let  P  be  any  data-flow  program,  and  let  Int(P)  be  (St,/, IE). 
For  any  initial  standard  or  modified  state  S  for  P  and  any  halted  firing 
sequence  2  starting  in  S,  let  a  be  any  prefix  of  any  causal  permutation  of 
ti(S,2).  Let  0  be  any  prefix  of  2  whose  reduction  is  $(a).  Then  for  any 
execution  e  -  Ex(d,k)  where  d€St-DL,  e  is  initiated  in  a  »  there  are  at 
least  k  firings  of  d  in  0. 

Proof : 

(1)  d€St-DL  =»  d  is  the  label  of  an  actor  in  P,  and  /(d)  is  its  action 

Def.  4.3-2 

(2)  =»  In(/(d))  >0  (lj+Defs.  4 . 3-1+2 . 1-5+2 . 1-2 

Prove  =»  first,  by  induction  on  the  length  of  a.  All  initiations  and 
reconstructions  4>  are  with  respect  to  Int(P). 

Basis:  |a|  -  0. 

(3)  For  any  execution  e  *  Ex(d,k)  where  d€St-DL,  e  is  not  Initiated  in 

a,  so  »  is  vacuously  true  (2)+Def.  4.2-6 

Induction  step:  Assume  *»  is  true  for  any  a  of  length  n>0,  and  consider 
a  ■  yf  of  length  n+1,  which  is  a  prefix  of  some  causal  permutation  p  of 
co  ■  t)(S,2)  . 

(4)  <f>(y)  i*  «  prefix  of  $(yf)  Def.  4.3-4 

(5)  For  any  execution  e  -  Ex(d,k)  where  d€St-DL,  e  is  initiated  in  y 


•  there  are  at  least  k  firings  of  d  in  any  prefix  of  2  whose 
reduction  is  #(y)  ind.  hyp. 
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(6)  =»  there  are  at  least  k  firings  of  d  In  any  prefix  of  £  whose 

reduction  Is  4>(yf)  (4)+Def.  2.4-5 

(7)  f  Is  not  the  initiating  entry  to  an  execution  Ex(d,k)  where  d^St-DL 
=»  [for  every  such  execution  e,  e  is  initiated  in  yf  =»  e  is  initiated 

in  y  a  there  are  at  least  k  firings  of  d  in  any  prefix  of  £  whose 
reduction  is  $(yf)]  (5)+(6)+Def.  4.2-6 

(8)  Assume  f  is  the  initiating  entry  in  yf  of  execution  e  =  Ex(d,k) 

where  d€St-DL.  co  is  a  computation  for  Int(P)  Lemma  4.3-2 

(9)  co  has  at  most  In(/(d))  input  entries  to  e  (8)+Def.  4.2-6 

(10)  a  and  co  contain  the  same  set  of  ln(/(d))>0  input  entries  to  e 

(9)+(8)+Def .  4.2-6 

(11)  There  is  some  j  such  that  b,  the  number-j  input  arc  of  d,  has  a 

token  removed  at  each  firing  of  d  (1)+Def.  2.1-5 

(12)  Since  there  is  at  least  one  entry  to  e  in  co,  there  are  k  firings 

of  d  in  £  (10)+Alg.  4.3-1 

(13)  There  is  an  entry  g  in  co,  hence  in  a,  whose  transfer  has  destination 

Dst(e.j)  (12)+(1I)+(1D)+Alg.  4.3-1 

(14)  Let  Src(Ex(d' ,k') ,i)  be  the  source  in  T(g).  Then  there  is  a  prefix 

Acp  of  £  in  which  <p  is  the  k^  firing  of  d,  and  c p  removes  a  token 
from  b.  d'€DL  «*  d' €{"IT",,,IF",,,ID"}  ■»  the  token  removed  from 
b  by  <p  is  on  b  in  S  (ll)+Alg.  4.3-1 

(15)  •  cp  is  the  first  firing  of  d,  so  k  ■  1  (11) 

(16)  *»  since  at  least  e  is  initiated  in  a,  $(a)  has  at  least  k  firings 

of  d  Def.  4.3-4 

(17)  any  prefix  of  £  whose  reduction  is  <$(a)  has  at  least  k  firings 


■'  *  •UMHtmiimVv k» ftue 


Def.  2.4-5 


(18)  Assume  cUSt-DL  and  k>l.  Then  there  are  exactly  k'  firings  of  d' 

In  A  (14)+(15)+Alg.  4.3-1 

(19)  Since  g  Is  an  output  entry  of  Ex(d'tk'),  the  Initiating  entry  of 

Ex(d',k')  strictly  precedes  g  in  a,  hence  is  in  y 

(8)+(13)+(14)+Defs.  4. 2-5+4. 2-7 


(20)  <Kyf)  is  <Ky)<p,  where  <p  is  a  firing  of  d 


(8)+Def.  4.3-4 


(21)  Let  0cp  be  any  prefix  of  2  whose  reduction  is  <Hyf).  Then  the  last 

firing  cp  in  0q>  is  of  d,  and  the  reduction  of  0  is  $(y) 

(20)+Def.  2.4-5 

(22)  There  are  at  least  k*  firings  of  df  in  0  (19)+(21)+(5)+(6) 

(23)  The  k-lSt  firing  of  d  removes  a  token  from  b,  as  does  the  k^ 

(11)+(18) 

(24)  There  is  a  prefix  S <p'  of  A  containing  k-1  firings  of  d  such  that  a 

token  appears  on  b  in  the  transition  from  S*S  to  S'Scp'  (23)+(14) 

(25)  Either  cp’  is  a  firing  of  d’f  or  d’  is  a  Select  which  is  in  a  pool 


in  S’ S  but  is  not  in  a  pool  in  5’S(p' 


(24)+Def.  3.3-9 


(26)  Let  X<p"  be  the  prefix  of  S2  in  which  <p"  is  the  k-1  firing  of  d. 

There  is  no  firing  of  d'  in  X  =»  d*  is  not  in  a  pool  in  S'X 

(23)+Def .  3.3-9 

(27)  There  is  a  firing  of  d'  in  X  =»  there  is  a  longest  prefix  Tcpd,  of  X 

such  that  there  is  no  token  on  b  in  S’Y,  but  there  is  one  in  S*¥<pd, 


=»  d'  is  not  in  a  pool  in  5'T<pd, 


(26)+(23)+Def .  3.3-9 


(28)  •»  For  every  prefix  T’  of  2  with  (Ytp^il  S  |Y'|  5  |x|,  there  is  a 

token  on  bin  S’Y',  so  d'  is  not  enabled  (23)+Defs.  3. 3-6+2. 1-5 
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(29)  =  d'  Is  not  In  a  pool  in  S'X  (27)+Def.  3.3-9 

(30)  d'  is  not  in  a  pool  in  S‘X  (26)+(27)+(29) 

(31)  d'  is  in  a  pool  in  S‘ S  «•  there  is  a  firing  of  d'  in  E,  hence  in  A, 

but  not  in  X  at  which  d'  is  placed  in  a  pool  (30/+Def.  3.3-9 

(32)  There  is  a  firing  of  d'  between  the  k-l8t  and  firings  of  d 

(24)+(25)+(31) 

(33)  Exactly  k'  firings  of  d’  precede  the  k1"^1  firing  of  d,  so  at  most 

k'-l  firings  of  d'  precede  the  k-lSt  firing  of  d  (14)+(32) 

(34)  There  are  fewer  than  k  firings  of  d  in  0<p  =»  the  last  firing  <p  is  the 

nC^  firing  of  d,  for  n<k  (21) 

(35)  At  most  k'-l  firings  of  d'  are  in  0  (33) 

(36)  There  are  at  least  k  firings  of  d  in  0<p  (34)+(35)+(22) 

Thus  it  is  proven  by  induction  that 

(37)  e  »  Ex(d,k)  is  initiated  in  a  =»  there  are  at  least  k  firings  of  d 

in  0  (14)+(15)+(17)+(36) 

Next  prove  the  converse,  by  contradiction.  Assume 

(38)  There  is  an  a  and  an  prefix  0  of  &  whose  reduction  is  4>(a),  and  some 

dfSt-DL  and  k>0  such  that  there  are  at  least  k  firings  of  d  in  6, 
but  Ex(d,k)  is  not  initiated  in  a 

(39)  Let  n>k  be  the  number  of  firings  of  d  in  0.  Then  there  are  n 

executions  of  d  initiated  in  a  (38)+Def.  4.3-4 

(40)  Since  Ex(d,k)  is  not  initiated  in  a,  there  is  an  m>n  such  that 

Ex(d,m)  is  initiated  in  a  (39) 

(41)  There  are  at  least  nt>n  firings  of  d  in  0  (37)-K40) 


1 


Since  (38)  leads  to  a  contradiction  between  (39)  and  (41),  (38)  is  false 
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i.e.,  there  are  at  least  k  firings  of  d€St-DL  in  9  =»  Ex(d,k)  is  initiated 
in  a. 

A 

Corollary  4.3-1  Let  P  be  any  data  flow  program  and  let  Int(P)  be 
(St,/, IE).  Let  S  be  any  initial  standard  or  modified  state  for  P,  and  let 
ft  be  any  halted  firing  sequence  starting  in  S.  Let  p  be  any  computation 
in  Jc  _.  For  any  d€St-DL  and  integer  k  such  that  Ex(d,k)  is  initiated 

&  »  So 

wrt  Int(P)  in  p,  the  initiating  entry  to  that  execution  is  preceded  in  p 
by  exactly  k-1  initiating  entries  to  other  executions  of  d. 

Proof ;  By  induction  on  n,  the  number  of  executions  of  d  initiated  in  each 
prefix  of  p  (all  initiations  and  reconstructions  are  wrt  Int(P)). 

(1)  In( /(d))  >0  Defs.  4 . 3-2+4 . 3-1+2 . 1-5+2 . 1-2 

(2)  For  any  prefix  a  of  p,  let  9  be  any  prefix  of  ft  whose  reduction  is 

4>(a).  Then  the  number  of  firings  of  d  in  0  equals  the  number  of 
executions  of  d  initiated  in  a  Defs.  4. 3-4+2. 4-5 

Basis:  n  =  1. 

(3)  There  is  one  firing  of  d  in  0  (2) 

(4)  Let  Ex(d,k)  be  the  one  execution  of  d  initiated  in  a.  There  are 

at  least  k  firings  of  d  in  0  (2)+Thm.  4.3-2 

(5)  k  -  1  (3)+(4) 

Induction  step:  Assume  the  Corollary  is  true  for  the  first  n  initiating 
entries  to  executions  of  d  in  p,  n?0. 

(6)  Let  y  be  the  shortest  prefix  of  p  in  which  there  are  exactly  n 

executions  of  d  initiated.  Then  any  initiating  entry  in  y  to  an 
execution  Ex(d,i)  is  preceded  by  the  initiating  entries  to  exactly 


i-1  other  executions  of  d 


Ind.  hyp 
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(7)  Since  there  are  only  n  Initiating  entries  in  Y,  the  initiating  entry 

to  any  execution  of  d  in  y  is  preceded  by  the  Initiating  entries 
to  at  most  n-1  other  executions  of  d  (l)+(6) 

(8)  Ex(d,i)  is  initiated  in  y  =»  i-1  <  n-1  *i5n  (6)+(7) 

(9)  Since  there  are  n  executions  of  d  initiated  in  y,  Ex(d,i)  is 

initiated  in  y  iff  i  5  n  (6)+(8) 

8t 

(10)  Let  Ex(d,k)  be  the  execution  of  d  whose  initiating  entry  is  n+1 

in  p ;  i.e.,  that  entry  is  preceded  in  p  by  exactly  n  other  init¬ 
iating  entries  to  executions  of  d.  Let  a  be  the  shortest  prefix 
of  p  containing  that  initiating  entry.  Then  there  are  exactly 
n+1  firings  of  d  in  6  (2) 

(11)  There  are  at  least  k  firings  of  d  in  8,  so  k  <  n+1  (10)+Thm.  4.3-2 


(12)  Ex(d,k)  is  not  initiated  in  y 

(13)  k  <  n+1  •»  Ex(d,k)  is  initiated  in  y 

(14)  k  -  n+1 

(15)  The  n+l8t  execution  of  d  Initiated  in  p  is  Ex(d,n+1) 


(6)+(10)+(l) 


(11)+(13)+(12) 

(10)+(14) 


(16)  For  any  k  <  n+1,  if  Ex(d,k)  is  initiated  in  p,  then  its  initiating 
entry  is  preceded  in  p  by  the  initiating  entries  to  exactly  k-1 


other  executions  of  d 


(9)+(6)+(15) 

A 
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Chapter  5 

Structure-as-Storage  Models 

This  thesis  Is  concerned  with  defining  structure  operations  which 
make  it  easy  to  prove  that  parallel  programs  using  them  are  functional. 

The  entry-execution  model  has  been  introduced  as  the  vehicle  for  a  general 
proof  of  determinacy  (which  implies  functionality) .  Thus  the  definitions 
of  the  structure  operations  must  be  drawn  within  the  framework  of  this 
model.  This  Chapter  uses  the  operations  in  the  data-flow  language  LfiS  to 
illustrate  a  suitable  mode  of  definition. 

Constraints  on  computations  are  used  to  "define"  structure  operations 
in  the  following  sense:  This  Chapter  gives  a  set  of  example  constraints. 
Any  model  satisfying  all  of  these  is  called  a  Structure-as-Storage  (S-S) 
model.  These  constraints  concern  only  the  input  and  output  entries  of 
executions  of  structure  operations,  and  are  constructed  so  that  EE(L^g,S) 
is  an  S-S  model  (this  latter  point  is  proven  in  Section  5.3  below). 
Therefore,  any  other  language  whose  model  is  S-S  may  be  considered  to  have 
the  same  set  of  structure  operations  as  Lgg. 

The  Lgg  structure  operations  have  already  been  defined  using  a  schema 
model  of  data  flow  (Definition  2.2-5).  According  to  this  definition,  a 
structure  operation  selected  to  fire  in  a  state  5  outputs  values  depending 
on  just  its  inputs  at  that  firing  and  the  heap  in  S.  In  the  entry- 
execution  model,  even  though  the  concept  of  state  has  been  abstracted 
away,  it  is  not  difficult  to  define  the  heap  determined  by  a  computation; 
this  is  in  fact  done  in  Section  5.2.  The  output  entries  of  an  execution  e 
could  then  be  constrained  to  depend  just  on  e’s  input  entries  and  the  heap 
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determined  by  Che  computation  Immediately  preceding  e's  initiation.  To  do 
so,  however,  would  greatly  encumber  a  constructive  proof  along  the  lines 
of  the  Determinacy  Proof  Technique:  It  would  be  necessary  at  each  step 
to  characterize  not  only  the  newly-constructed  computation,  but  also  the 
heap  it  determines. 

A  computation  alone  contains  enough  Information  to  ascertain  the 
correct  output  of  most  executions.  It  has  already  been  decided  to  employ 
computations  to  convey  both  the  order  in  which  executions  occur  and  the 
values  of  their  inputs  and  outputs.  It  is  here  further  decided  to  fore¬ 
sake  the  heap  concept,  in  favor  of  using  computations  to  express  directly 
the  complex  interrelationships  which  exist  among  executions  of  structure 
operations. 

5.1  The  Constraints 

The  constraints  defining  a  Structure-as-Storage  model  are  listed 
next .  The  remainder  of  this  section  presents  the  constraints  and 
describes  how  each  is  derived  from  the  heap-oriented  model  of  4s- 

Definition  5.1-1  An  entry-execution  model  (V,  L,  A,  In,  E )  is  a 
S true tur e-as-S tor age  (S-S)  model  iff: 

1.  There  is  a  distinct  subset  V  of  the  atomic  value  domain  V.  Atomic 

P 

values  in  V  are  of  pointer  type.  All  other  values  in  V  are  of 
non-pointer  type;  included  among  these  are  nil  and  undef . 

2.  The  domain  A  Includes  the  following  eight  specific  actions,  and  In 
assigns  to  each  the  indicated  input  arlties:  Fetch  (1),  First  (1), 
Next  (2),  Select  (2),  Copy  (1),  Assign  (2),  Update  (3),  and 
Delete  (3). 


* 
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3.  For  every  expansion  (Int +J)  in  E,  for  every  job  J (J,  every  computa¬ 
tion  in  J  satisfies  the  following  constraints  (all  given  later) : 

The  Input/Output  Type  Constraint 
The  Atomic  Output  Constraint 

i 

The  Structure  Output  Constraint 
The  Unique  Pointer  Generation  Constraint 
Furthermore,  every  pair  of  computations  in  J  satisfies  the  Initial 
Structure  and  First/Next  Output  Constraints,  and  J  itself  satisfies  the 
Pointer  Transparency  Constraint. 

A 

5.1.1  Input/Output  Types 

From  Definition  2.2-5,  it  is  apparent  that  certain  inputs  to  structure 
operations  must  be  of  pointer  type.  Furthermore,  it  is  generally  true  that 
no  other  input  to  these  or  to  other  operations  may  be  of  pointer  type;  for 
example,  it  is  not  possible  to  do  arithmetic  on  pointers.  The  exception 
to  this  rule  are  the  pi  actions: 

Definition  5.1-2  Given  a  model  (V,  L,  A ,  In,  E) ,  an  action  a (A  is  a 
ps eudo-identi ty  (pi)  action  iff  the  following  is  true  for  every  interpre¬ 
tation  Int  -  (St,/, IE)  in  the  model:  For  any  execution  e  of  a  and 
computation  co  for  Int: 

1.  There  is  no  entry  in  co  whose  transfer  has  source  Src(e,l)  for  i?tl. 

2.  There  is  a  j,  depending  only  on  the  non-polnter-valued  input 
entries  to  e  in  co,  such  that  the  value  of  Src(e,l)  in  co  (if  any) 
equals  the  value  of  Ent  (e,j),  the  number-j  input  entry  to  e  in  co. 

A 


MRS*  'Mil  u.w 
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The  constraints  on  the  types  of  the  Inputs  and  outputs  of  execution 
e  are  translated  froa  Definition  2.2-5  into: 

Constraint  5.1-1  A  computation  co  for  Interpretation  (St,  /,IE)  satisfies 
the  Input /Output  Type  Constraint  iff,  for  all  dfSt  and  k>0,  the  input  and 
output  entries  of  Ex(d,k)  in  co  are  as  described  below,  depending  on  /(d). 

Structure  operations  -  Table  5.1-1  gives  the  type  of  input  entry  and 
source  values  of  each  execution  e  of  a  structure  operation. 

pi  actions  -  The  values  of  any  input  or  output  entries  of  an  execution 
of  a  pi  action  or  of  an  execution  in  IE  may  be  either  of  pointer  or 
of  non-pointer  type. 

All  others  -  The  value  of  any  input  or  output  entry  of  an  execution  of 
any  other  action  must  be  of  non-pointer  type. 

A 

5.1.2  PointeT  Transparency 

A  pointer's  only  Identity  stems  from  its  uniqueness;  i.e.,  the  only 
relationship  possible  between  two  pointers  is  that  they  are  distinct. 


Operation 

Input  Entries 

Sources  } 

Ent(e,l) 

Ent(e,2) 

Ent(e,3) 

Src(e,l) 

Src(e,2) 

Fetch 

ptr 

— 

— 

non-ptr 

non-ptr 

First 

ptr 

— 

— 

non-ptr 

non-ptr 

Next 

ptr 

non-ptr 

— 

non-ptr 

non-ptr 

Select 

ptr 

non-ptr 

— 

ptr 

non-ptr 

Copy 

ptr 

— 

— 

ptr 

ptr 

Assign 

ptr 

non-ptr 

— 

non-ptr 

non-ptr 

Update 

ptr 

non-ptr 

ptr 

non-ptr 

non-ptr 

Delete 

ptr 

non-ptr 

— 

non-ptr 

non-ptr 

Input /Output  Types 


Table  5.1-1 
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Any  set  of  n  distinct  pointers  will  serve  in  any  capacity  (such  as  dom  n 

in  a  heap)  equally  as  well  as  any  other  set  of  n  distinct  pointers. 

This  gives  rise  in  the  S-S  entry-execution  nodel  to  the  principle  of 

pointer  transparency:  For  any  computation  ca.  let  (p. ,p« . p  )  be  the 

■'  1  2  n 

set  of  distinct  pointers  appearing  as  the  values  of  entries  in  co,  and  let 
^<,1,<,2’  ’  *  *  ,qn^  be  anY  other  same-size  set  of  distinct  pointers.  Replacing 
p^  wherever  it  appears  as  the  value  of  an  entry  in  co  with  q^,  for 

i  ■  1,2 . .  yields  a  new  computation  which  is  identical  to  within 

pointer  values  to  co.  Any  computation  so  related  to  co  is  in  every  job  that 
co  is  in. 


Definition  5.1-3  IVo  computations  co^  and  co^  are  identical  to  within 
pointer  values .  written 


co2  cs  ^ 

iff  there  is  a  total  one-to-one  mapping  Y  over  V  such  that  co0  can  be 

P  2 

derived  from  co^  by  substituting  for  each  entry  f€co^  a  similar  entry,  whose 
transfer  is  T(f)  and  whose  value  is  given  by 

if  V(f )  is  not  a  pointer,  then  V(f),  else  Y(V(f)). 


A 


Constraint  5.1-2  A  job  J  satisfies  the  Pointer  Transparency  Constraint 
iff  for  any  computation  co^€J  and  any  other  computation  a^, 

C02  O*  *»  COjfJ 


5.1.3  The  Concept  of  Reach 

As  mentioned  earlier,  the  intent  here  is  to  define  the  L^g  structure 
operations  without  reference  to  a  heap.  That  is,  the  outputs  of  any  execu¬ 
tion  of  such  an  operation  are  to  depend  upon  just  the  inputs  to  that  and 
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to  previously-initiated  executions.  The  current  sub-section  analyses  this 
dependence  precisely*  using  the  schema  model  of  LfiS  from  Chapter  2;  the 
algorithm  of  Section  4.3  will  then  be  used  to  take  this  dependence  into 
constraints  on  computations  in  EE(Lgg,S). 

The  most  Important  new  concept  in  a  heapless  definition  of  structure 
operations  is  that  of  the  reach  of  a  write-class  firing  (Assign, 

Update,  or  Delete.)  This  section  concentrates  on  defining  the  reach  R(A) 
of  an  Assign  firing  A  in  a  firing  sequence  S;  the  reach  of  an  Update  or 
Delete  is  a  straightforward  extension  of  this.  The  principle  of  reach 
is  that  R(A)  should  consist  of  just  each  firing  ip  in  2  for  which  the 
state  change  effected  by  <p  depends  directly  on  the  atomic  input  to  A. 

The  significance  of  this  principle  is  two-fold:  1)  The  output  of  a 
Fetch  firing  F  is  necessarily  equal  to  the  atomic  input  of  that  unique 
Assign  firing  into  whose  reach  F  falls.  2)  For  any  Assign  operator  d 
in  a  determinate  program,  the  reach  of  the  kth  firings  of  d  in  all  firing 
sequences  starting  in  equal  Initial  states  for  the  program  is  the  same. 

Two  other  new  concepts  —  access  history  and  duration  —  must  be 
Introduced  before  reach  can  be  defined.  The  access  history  for  pointer  p 


in  firing  sequence  2,  Hp,  is  the  sub-sequence  of  structure  operator  firings 
in  2  whose  pointer  inputs  equal  p;  it  may  be  said  that  these  are  the 


firings  in  2  which  "access  the  node  n  *  Il(p)."  For  any  Assign  firing  A 
in  2  which  accesses  .n,  the  duration  D(A)  is  defined  as  follows:  Let  v  be 


the  value  of  A's  atomic  input.  Then  D(A)  is  the  set  of  firings  in  2  which 
access  either  n  or  a  copy  of  n  during  a  period  when  that  node's  value 


must  equal  v. 
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The  reach  of  A  Is  a  subset  of  the  duration  of  A.  Precise  identifi¬ 


cation  of  all  the  firings  in  D(A) ,  and  of  that  subset  of  these  which  is 
R(A) ,  is  done  in  two  steps:  first  all  those  firings  which  access  n,  and 
then  those  which  access  copies  of  n. 

1.  Firings  which  access  n  - 

Let  A'  be  the  next  Assign  firing  following  A  in  H  ,  if  any.  Then 

P 

D(A)  contains  (among  others)  all  firings  in  following  A  but  not 
following  A'  (this  includes  A').  The  effect  of  firing  A  is  to  assign 
the  value  in  SM(n)  to  be  v,  and  the  effect  of  A'  is  to  change  that  value. 
Therefore,  the  value  of  SM(n)  is  guaranteed  to  be  v  just  at  those  firings 
after  A  but  not  after  A*.  I.e.,  each  firing  in  D(A)  which  accesses  node 

n  does  so  while  the  value  in  SM(n)  is  guaranteed  to  be  v. 

A  firing  F  of  a  Fetch  operator  d  in  D(A)  effects  a  state  change 
which  is  distinguished  by  the  placement  of  tokens  with  value  v  on  d's 
output  arcs.  This  dependence  means  that  every  Fetch  firing  in  the 
duration  of  A  is  in  the  reach  of  A.  Similarly,  the  control  output  of  A' 
depends  on  whether  or  not  the  value  in  SM(n)  just  before  that  firing  is 
nil.  Since  this  value  is  the  one  assigned  by  A,  A'  (if  it  exists)  is 
in  R(A) . 

Finally,  let  C  be  any  Copy  firing  in  D(A)  which  accesses  n.  This 
activates  a  new  node  m.  SM(m)  in  the  state  Immediately  following  C  equals 
SM(n)  in  the  state  immediately  preceding  C.  Since  C  is  in  D(A) ,  the  value 
in  that  content  equals  the  value  assigned  by  A.  Therefore,  any  Copy 
firing  in  D(A)  is  also  in  R(A) .  Copy,  Fetch,  and  Assign  operators  are 
the  only  ones  which  effect  state  changes  that  depend  on  the  value 
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asslgned  Co  a  node;  hence  the  reach  of  an  Assign  firing  contains  only 
Fetch.  Assign,  and  Copy  firings. 

2.  Firings  which  access  copies  of  n  - 

Let  C  be  any  Copy  firing  in  D(A)  which  accesses  n,  let  q  be  its 
pointer  output,  and  let  m  *  n(q).  Then  the  initial  value  in  SM(m)  equals 
v.  Define  the  initial-value  duration  for  q,  D  ,  to  be  the  set  of  all 

q 

firings  in  H  not  following  the  first  Assign  firing  (if  any).  Then  D 

q  q 

consists  of  just  those  firings  which  access  m  while  it  still  has  its 
initial  value  v.  Therefore,  for  any  firing  <p  in  D  of  a  Fetch,  Assign,  or 

q 

Copy,  the  state  change  effected  depends  directly  on  the  atomic  input  to  A, 
and  so  <p  belongs  in  the  reach  of  A.  By  defining  D(A)  to  Include  D^,  R(A) 
remains  just  all  Fetch,  Assign,  or  Copy  firings  in  D(A). 

The  above  paragraph  is  true  for  the  pointer  output  of  any  Copy  firing 
which  accesses  m  in  D^.  In  general,  this  reasoning  can  be  applied 
recursively  to  yield:  D(A)  consists  of  all  those  firings  accessing  n  which 
are  identified  in  (1)  above,  plus  the  initial-value  duration  for  any 
pointer  output  of  any  Copy  firing  in  D(A).  R(A)  then  consists  of  all 
Fetch,  Assign,  and  Copy  firings  in  D(A) . 

It  can  now  be  seen  how  this  precise  development  of  the  concept  of 
reach  leads  to  constraints  on  the  outputs  of  Fetch  and  Assign  firings: 

The  access  histories  in  a  firing  sequence  are  all  disjoint.  An  access 
history  is  partitioned  by  the  set  of  durations  consisting  of  its  initial- 
value  duration  and  the  duration  of  each  Assign  firing  appearing  in  it. 
Therefore,  the  durations  of  Assign  firings  are  all  disjoint,  and  so  each 
Fetch  or  Assign  firing  F  is  in  at  most  one  reach.  If  F  is  in  R(A)  for 


L 
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Assign  firing  A,  Chen  its  data  output  must  equal  v,  the  atomic  value  input 
to  A  (if  F  is  a  Fetch  firing;  the  data  outputs  of  Assign  firings  are 
identically  zero) .  The  control  outputs  of  F  equal  the  value  of  the  pred¬ 
icate  "v  is  not  nil".  (The  case  that  F  is  not  in  the  reach  of  any  Assign 
firing  is  examined  later.) 

The  concepts  of  access  history,  duration,  and  reach  can  all  be 
defined  for  an  entry-execution  model  by  applying  Algorithm  4.3-1  to  the 
descriptions  just  given.  This  is  done  in  the  next  sub-section.  The 
concepts  are  extended  to  the  Select,  Update,  and  Delete  operations  in 
Section  5.1.5. 

5.1.4  The  Atomic  Output  Constraint 

Definition  5,1-4  Given  any  Interpretation  Int  and  a  computation  w  for  Int, 

the  access  history  for  any  pointer  p  in  co  is  a  sequence  of  all  the 

entries  in  co  whose  values  equal  p  and  whose  target  executions  are  initiated 

in  co  (with  respect  to  Int).  In  this  sequence,  Ent(ej,,j^)  follows 

Ent(e-,j_)  iff  e. 's  initiating  entry  follows  e,'s  in  co. 

2  2  1  2  A 

In  the  just-concluded  schema-model  development  of  the  concept  of  reach, 
an  access  history  was  defined  as  a  sequence  of  firings.  The  entry- 
execution  analog  of  a  firing  is  an  execution.  Thus  it  might  be  expected 
that  an  access  history  would  be  defined  here  as  a  sequence  of  executions. 
The  reason  for  using  a  sequence  of  entries  Instead  is  that  each  Update 
execution  U  has  two  pointer-valued  input  entries.  It  is  necessary  that 
each  appearance  of  U  in  an  access  history  Hu  be  qualified  as  to  which  of 


its  input  entries  has  value  p.  Since  this  information  is  Inherent 
in  the  entries  of  o>,  the  form  of  access  history  defined  above  is 
more  convenient.  It  should  be  noted  that  the  entries  appear  in  the 
order  of  Initiation  of  their  target  executions,  which  is  not  necessarily 
the  same  as  their  order  of  appearance  in  co. 

Access  histories  have  a  significance  of  their  own  beyond  their  role 
in  defining  reach:  Let  co^  and  be  any'  two  computations  in  a  job  from  a 

determinate  expansion.  Then  for  every  access  history  in  w^,  there  is 
an  access  history  in  containing  exactly  the  same  entries. 

Definition  5.1-5  Let  go  be  any  computation  for  any  interpretation,  and 
denote  by  AS  the  set  of  Assign  executions  initiated  in  co.  For  each  A€AS, 
the  duration  of  A,  D(A),  in  co  is  a  set  of  entries  in  co  defined  recursively 
as  follows:  Let  APS  -  {Ent(e,l)j  e€AS}. 

(1)  Let  H  be  the  access  history  containing  f  ”  Ent(A,l).  Then  the  set 

{gf  g  follows  f  in  H  with  no  intervening  entry  from  APS} 
is  contained  in  D (A) . 

(2)  Let  C  be  any  Copy  execution  such  that  Ent(C,l) €D(A) ,  and  let  q  be 
its  pointer  output.  Then  the  set 

{g|  no  entry  from  APS  precedes  g  in  H^*} 
is  contained  in  D(A) . 

(3)  D(A)  consists  of  just  those  entries  derived  from  (1)  and  (2)  above. 

A 

If  Ent(e,l)  follows  Ent(A.l)  in  an  access  history  and  no  entry  from 
APS  appears  between  them,  then: 


I 
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1.  A  and  e  both  have  the  same  pointer  input, 

2.  e  Initiates  after  A,  and 

3.  no  Assign  execution  A'  with  the  same  pointer  input  initiates  between 
A  and  e 

If  to  is  from  the  model  EE(L  C,S),  then  to  models  a  firing  sequence  2,  and 

Ob 

A  and  e  model  two  firings.  One  of  these  firings  is  of  an  Assign,  and 
the  other  appears  after  it,  but  not  after  the  next  Assign  firing,  in  the 
same  access  history.  Therefore,  the  execution  e  models  a  firing  which 
belongs  in  the  duration  of  the  firing  modeled  by  execution  A. 

Definition  5.1-6  Let  to  be  any  computation  for  any  interpretation.  For 
each  Assign  execution  A  initiated  in  to,  the  reach  of  A,  R(A) ,  in  to  is  the 
set  of  executions  consisting  of  each  Fetch,  Assign,  or  Copy  execution  e 
for  which  Ent(e,l)  is  in  D(A) . 

The  outputs  of  all  Fetch  and  Assign  executions  in  R(A)  depend  just  on  A's 
atomic  input,  as  detailed  in  the  following: 

Constraint  5.1-3  A  computation  to  for  any  interpretation  satisfies  the 
Atomic  Output  Constraint  iff,  for  every  Fetch  or  Assign  execution  e  which 
is  in  the  reach  of  some  Assign  execution  A  in  to,  the  values  of  Src(e,l) 
and  Src(e,2)  are  as  follows,  where  v  *  V(Ent(A,2)). 


value  of  Src(e,l) 

value  of  Src(e,2) 

Action  of  e 

(Data  outputs) 

(Control  outputs) 

Fetch 

V 

v  *  nil 

Assign 

0 

v  f  nil 

A 


V 
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5.1.5  The  Structure  Output  Constraint 

The  only  other  operations  whose  firings  can  affect  other  firings' 
outputs  are  Update  and  Delete.  This  effect  could  be  made  precise  by 
defining  the  reach  of  such  a  firing  U  in  a  schema  model  of  L^g.  There 
would  be  two  differences  between  this  and  the  earlier  description  of  the 
reach  of  an  Assign  firing,  both  of  which  are  due  to  the  fact  that  U  affects 
just  one  branch  in  the  content  of  the  node  it  accesses: 

1.  U's  duration  D(U)  is  ended  only  by  another  Update  or  Delete  firing 
accessing  the  same  node  and  having  the  same  selector  input. 

2.  U  affects  only  those  firings  in  D(U)  which  depend  upon  the 
existence  of  the  branch  which  U  changes.  Therefore,  the  reach  of  U, 
R(U),  contains  firings  only  of: 

a.  a  Select  with  the  same  selector  input  as  U, 

b.  an  Update  or  Delete  with  the  same  selector  input  as  U 
(because  control  outputs  are  affected) ,  or 

c.  a  Copy,  First,  or  Next. 

The  state  change  effected  by  a  firing  ip  of  a  Copy,  First,  or  Next  which 
accesses  a  node  n  depends  on  the  entire  set  of  branches  in  SM(n) .  This 
in  turn  depends  on  every  Update  or  Delete  firing  into  whose  duration  q> 
falls.  Therefore,  any  such  firing  in  D(U)  is  in  R(U) . 

Since  the  reach  of  an  Update  or  Delete  is  so  similar  to  that  of  an 
Assign,  the  step  of  defining  it  for  a  schema  model  will  be  bypassed. 
Instead,  it  is  defined  directly  for  an  entry-execution  model: 


Definition  5.1-7  Let  co  be  any  computation  for  any  interpretation,  and 
denote  by  SS  the  set  of  all  Update  and  Delete  executions  initiated  in  go. 
Then  for  each  U€SS,  the  duration  of  U,  D(U),  in  go  is  defined  recursively 
as  follows.  Let 

SPS(U)  =  {Ent(e,l)|  e€SS  and  V(Ent(e,2))  -  V(Ent(U,2)) }. 

(1)  Let  H  be  the  access  history  containing  f  *  Ent(U,l).  Then  the  set 

{g|  g  follows  f  in  H  with  no  intervening  entry  in  SPS(U)} 
is  in  D(U). 

(2)  Let  C  be  any  Copy  execution  such  that  Ent(C,l)  is  in  D(U),  and  let 
q  be  its  pointer  output  value.  Then  the  set 

{g|  no  entry  in  SPS(U)  precedes  g  in  HW } 
is  in  D(U) . 


(3)  D(U)  consists  of  just  those  entries  derived  from  (1)  and  (2)  above. 

z 

SPS(U)  contains  just  those  entries  which,  by  virtue  of  their  targets 
having  the  same  selector  input,  could  end  U’s  duration. 


Definition  5.1-8  Let  o>  be  any  computation  for  any  interpretation.  For 
each  Update  or  Delete  execution  U  initiated  in  co,  the  reach  of  U,  R(U) ,  in 
go  is  the  set  of  executions 

{e|  Ent(e,l) €D(U) ,  e  is  an  execution  of  a  Select,  Update,  or 
Delete,  and  V(Ent(e,2)>  »  V(Ent(U,2))} 

U  {e |  Ent(e,l) €D(U)  and  e  is  an  execution  of  a  Copy,  First,  or  Next}. 

A 

The  exact  dependence  on  U  of  the  output  of  a  First  or  Next  execution  in 


R(U)  is  a  complex  issue,  and  will  be  considered  later.  The  dependence  on 
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U  of  the  outputs  of  a  Select,  Update,  or  Delete  execution  in  R(U)  is 
easily  understood: 


Constraint  5.1-4  A  computation  m  for  any  interpretation  satisfies  the 
Structure  Output  Constraint  iff,  for  every  Select,  Update,  or  Delete 
execution  e  which  is  in  the  reach  of  some  Update  or  Delete  execution  U  in 
u,  the  values  of  Src(e,l)  and  Src(e,2)  in  to  are  as  follows,  depending  on 
the  actions  of  e  and  U: 


U  is  an  Update  - 

Action  of  e 

Select 

Update  or  Delete 
U  is  a  Delete  - 

Action  of  e 

Select 

Update  or  Delete 


value  of  Src(e,l) 
(Data  outputs) 
V(Ent(U,3)) 

0 


value  of  Src(e,2) 
(Control  outputs) 
true 
true 


value  of  Src(e,l) 
(Data  outputs) 
undef 
0 


value  of  Src(e,2) 
(Control  outputs) 
false 
false 

A 


5.1.6  Initial  Structures 

Section  5.1.3  develops  the  concept  of  reach  and  uses  it  to  relate  the 
output  of  a  Fetch  firing  F  to  the  input  of  the  Assign  firing  into  whose 
reach  F  falls.  This  current  sub-section  is  concerned  with  finding  the 
output  of  a  Fetch  firing  which  is  not  in  any  reach  (a  Fetch  cannot  be  in 
the  reach  of  anything  but  an  Assign).  As  before,  answers  are  developed  in 
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Che  standard  schema  model  first,  and  then  carried  over  into  the  entry- 
execution  model. 

Let  S  be  any  initial  state  and  S3  any  firing  sequence  starting  in  S. 
Then  a  Fetch  firing  which  is  not  in  any  reach  in  S3  necessarily  outputs  the 
value  stored  at  some  node  in  S.  The  identity  of  this  node  is  determined 
with  the  aid  of  the  concept  of  dynamic  descendancy,  defined  thus:  Node  n 
is  dynamically  descended  from  node  m  in  S3  iff: 

1.  n  *  m,  or 

2.  n  is  activated  at  some  Copy  firing  in  S3  which  accesses  a  node 
which  is  dynamically  descended  from  m  in  S3. 

Every  node  in  5 ’S3  either  is  in  S  or  is  activated  by  a  unique  Copy  firing 
in  S3,  which  accesses  some  existing  node.  Therefore,  for  any  such  node  n, 
there  is  a  node  m  in  S  from  which  n  is  dynamically  descended  in  S3.  If  a 
Fetch  firing  F  which  accesses  node  n  is  not  in  any  reach,  it  will  output 
the  value  v  in  SM(m)  in  S,  as  the  following  argument  shows: 

Let  q  be  the  pointer  to  n;  i.e.,  TT(q)  ■  n.  Then  F  is  in  the  access 
history  in  S3,  and  is  not  therein  preceded  by  any  Assign  firing  (for 
then  F  would  be  in  the  reach  of  that  firing) .  Therefore  no  new  value  is 
stored  at  n  before  F,  so  F  outputs  the  initial  value  of  n.  If  n  *  m,  then 
that  value  is  v.  If  n  /  n,  prove  by  induction  on  the  length  of  its 
dynamic  descendancy  that  its  initial  value  is  v. 

Since  n  is  not  in  S,  it  is  activated  by  some  Copy  firing  C.  The  node 
n'  accessed  by  C  is  dynamically  descended  from  m.  The  initial  value  of  n 
is  the  value  of  n*  in  the  state  in  which  C  fires.  Since  F  is  not  in  the 
reach  of  any  Assign,  C  is  not  either.  Therefore,  no  firing  preceding  C 
changes  the  value  of  n',  so  in  the  state  in  which  C  fires. 
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n'  has  its  initial  value.  I.e.,  the  initial  value  of  n  equals  the  initial 
value  of  n't  which  by  induction  hypothesis  equals  the  initial  value  of  m. 

In  a  schema  model,  then,  the  output  of  any  Fetch  firing  not  in  a 
reach  is  determined  to  be  equal  to  a  value  stored  in  the  initial  state. 
This  result  cannot  be  carried  over  to  the  entry-execution  model,  however, 
because  all  concept  of  state  has  been  abstracted  away.  Fortunately, 
there  is  a  weaker  conclusion  which  can  be  expressed  in  the  entry-execution 
model  and  is  sufficient  for  the  purpose  of  proving  determinacy: 

Consider  two  different  firing  sequences  and  S22  starting  in  Initial 
states  and  S  2  such  that  S  2  equals  under  some  mapping  I.  Suppose 
that  Fetch  firings  F^  and  F^  access  nodes  n^  and  n2  in  2^  and  &2  respec¬ 
tively,  and  that  m.^  (m2)  is  the  node  in  5 ^  (S2)  from  which  n^  (n2)  is 
dynamically  descended.  If  m2  -  I(m^)  then  in  the  initial  states, 

SM(m2)  ■  I(SM(m^)),  Implying  that  m^  and  m2  have  the  same  initial  value 
v.  Thus  if  neither  F^  nor  F2  falls  into  the  reach  of  any  Assign  firing, 
both  will  output  v. 

This  observation  can  be  used  to  constrain  certain  Fetch  executions 
to  have  the  same  outputs  in  two  computations  in  the  same  job  (which  is 
all  that  is  required  for  determinacy).  The  constraint  is  developed  in 
several  steps:  First  it  is  noted  that  every  such  pair  of  computa¬ 
tions  and  a>2  is  derived  from  a  pair  of  firing  sequences  and  a2 
starting  in  two  initial  states  5^  and  S^.  Since  and  o>2  are  in  the  same 
job,  must  equal  5^  under  some  mapping  I. 

The  second  step  is  to  Identify  directly  from  (or  oi2)  which  pairs 
of  pointers  p  and  q  are  related  thusly:  the  node  pointed  to  by  p  is 


dynamically  descended  in  2^  (or  from  the  node  pointed  to  by  q.  This 
is  easily  done,  as  follows: 

Definition  5.1-9  Let  co  be  any  computation  for  any  interpretation,  and 
let  p  be  any  pointer.  Then  p  is  dynamically  descended  in  co  from  a  pointer 

q,  written  DD  (q,p),  iff  either 

co 

1.  p  *  q,  or 

2.  p  is  the  value  in  co  of  an  output  entry  of  a  Copy  execution  the  value 
of  whose  input  entry  is  a  pointer  dynamically  descended  from  q  in  co. 

A 

Let  the  heap  in  the  initial  state  5^,  i*l,2,  be  (N^n^.SM^.  Then,  for 
each  pointer  p  appearing  as  the  value  of  an  entry  in  co^,  there  is  a  unique 
pointer  q  in  dom  17  ^  from  which  p  is  dynamically  descended  (Lemma  5.2-4 
below) . 

The  third  and  final  step  in  developing  the  constraint  is  to  define  a 
relation  p  over  pointer-computation  pairs.  Two  such  pairs  should  be 
related  by  p,  written  (Pi»cOj)p(p2»co2) ,  iff,  for  q^^  and  q2  the  pointers  in 
dom  nx  and  dom  I72  from  which  p^  and  p2  are  dynamically  descended  in  co^  and 
oo2>  n2(q2)  *  I(I71(q^));  then,  it  has  been  argued,  any  two  Fetch  executions 
with  p^  and  p2  as  inputs  in  <o^  and  co2  are  constrained  to  have  equal 
outputs,  if  neither  falls  into  a  reach.  The  relation  p  is  first  recur¬ 
sively  derived  for  p^  and  p2  which  are  themselves  in  dom  17  ^  and  dom  n2. 

The  basis  is  that  if  p^  and  p2  are  on  the  same  program  input  arc  in 
Sj  and  S2»  respectively,  then  n2(p2>  ■  I(TI1(p1))  (by  definition  of  equal 
states),  so  (p^,co2)p(p2,co2) .  The  induction  step  involves  Select  execu¬ 
tions  and  S2  initiated  in  co^  and  co2  with  the  same  selector  input  s  and 
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pointer  inputs  p2  and  p2>  For  1*1,2,  if  SA  does  not  fall  into  a  reach  in 
then  its  pointer  output  is  p^',  where  (a^^p^MSM^Ol^q^)) ,  qt 
being  the  unique  pointer  in  dom  such  that  DD^  (q^ ,p^) •  (This  is  by  an 
argument  analogous  to  that  given  earlier  concerning  the  output  of  a  Fetch 
firing  which  is  in  no  reach.)  Then  this  series  of  inferences  can  be 
drawn:  (p^co^pCp^o^)  **  n2^q2^  -  KT^Cq^)  =»  SM2(TI2(q2))  -  KSMjffi^q^) 

»  n2Cp2*)  ■  KrijfPj^'))  •  (Pj'.c^JpCpj' ,cu  ),  since  p^'  is  in  dom  n.. 

Finally,  for  any  two  pointers  q^edom  17^  and  q2fdom  n2»  and  two  other 
pointers  Pj^  and  p2#q2,  (q^o^) p(q2,“2>  A  DD  (q^Pj)  •n2(q2>  ■  ^jUj)) 
A  q^  is  the  unique  pointer  in  dost  TT^  from  which  is  dynamically  descended 
in  co^  *»  (p^»co^)p(p2>co2) .  The  relation  p  is  defined  concisely  next;  a  proof 
that  (p1,w1)p(p2,ct>2)  iff  n2<q2>  *  I(ni(q1>)  may  be  found  in  a  later  section 
(Theorem  5.3-2). 


Definition  5.1-10  Given  any  Interpretation  Int  ■  (St,/, IE),  the  equal 
pointer  relation  is  a  binary  relation  over  the  set  of  all  ordered  pairs 
(p,co)  where  p  is  a  pointer  and  <o  is  a  computation  for  Int.  Two  such  pairs 
(Pj.oij)  and  (p2,co2)  are  in  this  relation,  written 

(Pj  »«j)  p(P2  »®2> 

iff  one  of  the  following  three  statements  is  true: 

1.  There  is  a  source  s  ■  Src(e,l)  for  some  efIE  and  some  1  such  that 

is  the  value  of  s  in  and  p2  is  the  value  of  s  in 

2.  There  are  two  Select  executions  S^  and  S2  such  that: 

for  1*1,2,  p^  is  the  value  in  co^  of  Src(S^,l), 

for  1*1,2,  Sf  does  not  fall  into  a  reach  in  coj, 

V(Ent  (S. ,2))  -  V(Ent  (S,,2)).  and 
coj  1  <02  2 
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<V(Ent^ (S1,l)  )  ,<o1)  pCV(Exit^(S2 ,1)  )  .c^) 


“2 


3.  There  Is  a  pointer  q*p^  such  that  DD^(q,p^)  and  (q,co^)p(P2*W2) 


A 


One  constraint  arises  immediately  from  the  claim  that  for  any 
Pj^dou  nx  and  p2€dom  n2>  (Pj^.oc^) pCpj.o^)  iff  n2(p2>  *  iGLtPj)):  since 
17^,  ^2*  and  1  are  one-to-one,  given  ,  co2»  and,  say,  p  ,  there  Is  at 
most  one  p2  such  that  (p^,co^) p(p2>u2) .  It  is  also  possible  now  to  state 
a  specific  circumstance  under  which  a  Fetch  execution  must  have  the  same 
output  in  different  computations  in  the  same  job.  This  is  combined  with 
the  analogous  constraint  on  Select  execution  outputs  in  the  following: 


Constraint  5.1-5  Given  an  Interpretation  Int.  any  pair  and  co  2  °£ 
computations  for  Int  satisfies  the  Initial  Structure  Constraint  iff  the 
following  are  all  true,  where  p  is  the  equal  pointer  relation  defined  from 
Int: 

1.  For  1*1,2,  let  p^  and  p^+2  be  any  two  pointers  such  that  neither  is 
the  value  of  an  output  entry  of  a  Copy  execution  in  co^.  If 
(P1.co1)p(p2,u2)  and  (p^c^)  p(p2,co2) ,  then  p3  -  p^,  and  if 

^pl,4Jl)p(P2,C02>  and  then  p4  “  p2’ 

2.  Let  and  e2  be  any  two  Fetch  or  two  Assign  executions  initiated  in 

<i^  and  o>2  respectively  with  pointer  Inputs  p^  and  p2  such  that 
^pl*“l^p^p2,0i2^ ’  If  nelther  falls  into  a  reach,  then  for  1-1,2, 
the  values  of  SrcCe^.i)  in  a>^  and  Src(e2,i)  in  co2  are  the  same. 

3.  Let  e^  and  e2  be  any  two  Select,  Update,  or  Delete  executions 
initiated  in  and  u2  with  equal  selector  Inputs  and  pointer  Inputs 
p^  and  p^  such  that  (pj.WjJp^,^)  •  If  neither  is  in  a  reach,  then 
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a.  the  values  of  Src(e^,2)  in  co^  and  Src(e2»2)  In  are  equal,  and 

b.  If  both  are  Update  or  Delete  executions,  then  the  values  of 

Src(e, ,1)  In  w.  and  Src(e_,l)  In  to,  are  the  same  (e.g.,  zero). 

1  “12  2  A 

It  will  be  noted  that  there  is  no  way  to  relate  the  output  values  of,  e.g. 
two  Fetch  executions  when  exactly  one  falls  into  a  reach.  Fortunately, 
the  need  never  arises. 

5.1.7  The  First /Next  Output  Constraint 

This  constraint  concerns  the  outputs  of  two  First  or  Next  executions 
in  two  computations  in  the  same  job.  It  is  similar  to  the  Initial 
Structure  Constraint,  and  is  here  developed  in  the  same  manner:  first  for 
the  schema  model,  then  for  the  entry-execution  model. 

Let  S  be  any  Initial  state  and  let  2  be  any  firing  sequence  starting 
in  S.  Let  FN  be  any  firing  in  S3  of  a  First  or  a  Next  operator,  and  let  n 
be  the  node  accessed  by  FN.  Then  the  outputs  of  FN  depend  just  on  the  set 
of  selectors  in  SM(n)  in  the  state  in  which  FN  fires.  A  selector  s  is 
in  this  set  iff: 

1.  FN  is  in  the  reach  of  an  Update  (not  a  Delete)  firing  having  the 
selector  input  s,  or 

2.  FN  is  not  in  any  such  reach  and  s  is  in  SM(m)  in  S,  where  n  is 
dynamically  descended  from  m  in  S3. 

This  leads  to  the  following  sufficient  condition  under  which  two  First  or 
Next  executions  output  the  same  value  in  different  computations  in  a  job 
in  HSOgg.S): 
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Constraint  5.1-6  Given  an  interpretation  Int .  anv  pair  co^  and  co  2  °f 
computations  for  Int  satisfies  the  First/Next  Output  Constraint  iff  the 
following  is  true,  where  p  is  the  equal  pointer  relation  defined  from  Int: 

Let  e^  and  e^  be  two  First  executions,  or  two  Next  executions  with 
the  same  selector  Inputs,  initiated  in  and  co2  respectively.  Then  for 
i*l,2,  the  values  of  Src^.i)  in  and  Src(e2,i)  in  co2  are  the  same  if: 

1.  the  values  of  the  pointer  inputs  to  and  e2  are  p^  and  p2  such 
that  (p1,o>1)p(p2,oj2) ,  and 

2.  for  each  selector  s,  is  in  the  reach  of  an  Update  (Delete) 
execution  with  selector  input  s  in  iff  e2  is  in  the  reach  of  an 
Update  (Delete)  execution  with  selector  input  s  in 

A 

5.1.8  The  Unique  Pointer  Generation  Constraint 

In  a  schema  model  of  an  S-S  language,  the  constraint  on  the  pointer 
output  by  a  Copy  firing  is  quite  elementary:  Letting  (N,n,SM)  be  the 
heap  in  the  state  in  which  the  Copy  fires,  the  pointer  which  it  outputs 
must  be  distinct  from  all  those  in  dom  IT.  The  corresponding  constraint 
in  an  entry-execution  model  is  more  complex,  however,  due  to  the  absence 
of  any  concept  of  heap.  The  problem  there  may  be  stated  as:  Given  a 
computation  in  which  a  Copy  execution  has  output  entries  of  value  p,  from 
which  other  entries'  values  must  p  be  distinct.  The  solution  is  developed 
below  for  EE(LgS,S). 

Let  (Int,J)  be  any  expansion  from  EE(L^^,S),  where  Int  ■  (St,/, IE). 
Let  co  be  any  computation  in  any  job  in  J;  then  u  is  a  computation  for  Int. 
Let  S  be  the  initial  state,  and  $2  the  firing  sequence  starting  in  5,  such 
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chat  co  Is  a  prefix  of  some  computation  in  3~  _ .  Then  for  any  pointer  q 

^  pSb 

which  appears  as  the  value  of  entries  in  u>,  the  first  such  entry  must  be 
an  output  entry  of  either  an  input  execution  (one  in  IE) ,  a  Copy  execution, 
or  a  Select  execution  which  is  in  no  reach:  The  only  other  executions 
which  can  possibly  have  pointer-valued  output  entries  are  pi  executions 
and  Select  executions  which  are  in  reaches  (Constraint  5.1-1).  If  a  pi 
execution  e  has  an  output  entry  of  value  q,  then  it  has  an  input  entry  of 
value  q,  which  must  precede  that  output  entry  in  a>.  If  a  Select  execution 
S  is  in  the  reach  of  an  Update  execution  U,  then  S's  output  entries  have 
the  same  value  as  Ent(U,3).  U  is  Initiated  before  all  executions  In  its 
reach,  so  Ent(U,3)  must  precede  all  output  entries  of  S. 

Let  (N,n,SM)  be  the  heap  in  the  Initial  state  S.  If  q  is  the  value 
of  an  output  entry  of  an  execution  in  IE,  then  there  is  a  token  with  value 
q  in  the  configuration  in  S ;  thus  q  must  be  in  dom  FI.  If  q  is  the  value 
of  an  output  entry  of  a  Select  execution  S  which  is  in  no  reach,  let  s  be 
S' 8  selector  input.  By  analogy  with  the  argument  given  earlier  for  Fetch 
executions,  the  pair  (s,IT(q))  must  be  in  the  content  of  some  node  in  N, 
which  implies  also  that  q  must  be  in  dom  IT.  In  either  case,  p,  being  the 
output  of  a  Copy  execution,  must  be  distinct  from  q.  Finally,  p  clearly 
must  be  distinct  from  the  value  of  the  output  entries  of  any  other  Copy 
execution  in  co.  These  conclusions  are  summarized  in: 

Constraint  5,1-7  Given  an  interpretation  Int  -  (St,  /, IE),  a  computation 
co  for  Int  satisfies  the  Unique  Pointer  Generation  Constraint  iff  the 
following  is  true:  Let  C  be  any  Copy  execution  initiated  in  co,  and  let 
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p  the  value  of  Its  output  entries  in  to  (if  any).  Then  p  is  not  equal  to 
the  value  of  the  output  entries  of  any  execution  which  is: 

1.  in  IE,  or 

2.  a  Copy  execution  other  than  C,  or 

3.  a  Select  execution  which  is  in  no  reach  in  a>. 

A 

This  completes  the  definition  of  a  Structure-as-Storage  (S-S)  model. 
The  system  of  constraints  just  presented  illustrates  a  mode  of  specifying 
sets  of  operations  in  the  medium  of  the  entry-execution  model:  all 
languages  whose  models  are  S-S  contain  some  common  set  of  operations.  In 
particular,  since  it  is  claimed  that  these  constraints  were  constructed  so 
that  EE(Ljjg ,S)  is  an  S-S  model,  the  set  of  structure  operations  in  L^s 
has  now  been  formally  described.  Section  5.3  proves  rigorously  the 
validity  of  this  claim;  first.  Section  5.2  develops  a  new  concept  import¬ 
ant  not  only  to  that  proof,  but  also  to  an  appreciation  of  the  information 
content  of  an  entry-execution  computation. 

As  noted  earlier,  the  work  of  Greif  [19]  is  closely  related  to  the 
entry-execution  model  and  to  the  use  of -constraints  on  computations  to 
specify  operations.  She  studied  the  behaviors  of  actor  systems.  A 
behavior  is  a  partial  order  of  events ,  which  are  closely  analogous  to 
entries.  A  given  actor  system  with  given  initial  conditions  may  exhibit 
several  different  behaviors;  similarly,  in  the  entry-execution  model,  a 
given  program  and  input  expands  into  a  Job,  a  set  of  sequences  of  entries. 
The  two  models  are  best  brought  into  correspondence  by  viewing  a  job  as 
the  set  of  all  total  orders  of  entries  compatible  with  all  the  possible 
behaviors  for  a  given  system  and  initial  conditions. 
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Various  techniques  for  coordinating  parallel  processes  were  described 
by  the  additional  orderings  they  imposed  on  all  possible  behaviors  (i.e», 
orderings  beyond  those  inherent  in  the  individual  processes) .  To  quote  the 
most  relevant  example,  a  single  cell  of  read/vrlte  storage  (analogous  to 
a  node)  was  defined  by  constraints  on  events,  which  depended  on  the  order 
in  which  operations  were  performed  on  the  cell.  That  is,  for  a  given  cell, 
each  behavior  had  to  specify  some  total  ordering  of  all  operations  on  that 
cell.  Furthermore,  the  events  so  ordered  had  to  satisfy  certain 
constraints,  notably  that  the  output  of  a  read  operation,  equals  the  input 
to  the  write  operation  which  most  immediately  preceded  it  (with  respect  to 
the  particular  total  ordering) . 

The  major  difference  between  the  entry-execution  model  and  the  actor 
model  is  in  level  of  abstraction.  The  former  is  rooted  in  a  view  of 
programs  as  fixed  sets  of  indivisible  instructions.  A  single  actor,  on 
the  other  hand,  can  model  anything  from  an  addition  operator  to  an  entire 
program.  An  actor's  function  can  change  with  time,  and  new  actors  can  be 
created  dynamically.  Consequently,  it  is  much  harder  to  grasp  the  connec¬ 
tion  between  a  concrete  data-flow  program  and  an  actor  system  which  models 
it.  Given  the  limited  objective  of  this  thesis,  the  entry-execution  model 
seems  more  appropriate.  It  is  felt,  however,  that  partial  orders  of 
entries  would  be  useful  tools  in  specifying  or  proving  what  a  program  does. 


-217- 


5.2  The  Heap  Determined  by  a  Computation 

This  section  develops  the  definition  of  the  heap  determined  by  a 
computation  (from  an  initial  heap).  The  derivation  confers  the  desirable 
property  that  for  any  firing  sequence  0  starting  in  any  state  S  *  (r,U), 
the  heap  determined  from  U  by  the  canonical  computation  r)(S, 6)  is  the 
heap  in  the  state  5*0.  The  significance  of  the  concept  is  three-fold: 

1.  It  demonstrates  the  relationship  between  an  abstract  computation  and 
a  more  easily-visualized  heap,  without  recourse  to  an  interpreter. 

2.  It  lies  at  the  heart  of  the  proof  (in  Section  7.3)  that  determinacy 
in  the  entry-execution  model  EE(Lp,M)  implies  functionality  of 
programs . 

3.  It  commences  the  verification  that  EE(LBg,S)  is  an  S-S  model. 

The  final  five  of  the  seven  S-S  constraints  concern  the  values  of  the 
output  entries  of  structure  operation  executions  in  a  computation  (or  in 
a  pair  of  computations)  in  a  job  J.  The  first  and  most  difficult  step 
in  proving  that  these  are  satisfied  by  all  computations  in  J  is  showing 
that  they  are  satisfied  by  all  canonical  computations  in  J.  The  role  in 
this  of  the  heap  determined  by  a  computation  is  Indicated  in  the  following 
brief  outline. 

For  any  initial  state  S  m  (T.U)  and  halted  firing  sequence  £>  starting 
in  S,  for  the  canonical  computation  co  »  t)(£,S2): 

1.  The  value  of  the  output  entries  of  a  structure  operation  execution 
in  co  equals  the  value  of  the  tokens  output  by  some  firing  cp  in  &. 

2.  The  value  of  those  tokens  depends  on  the  content  of  a  particular 
node  n  in  the  heap  in  S’  0,  where  0  is  such  that  0<p  is  a  prefix  of  Q. 
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3.  That  heap  Is  identical  to  the  heap  determined  from  U  by  t](S,0). 

4.  The  content  of  n  in  that  latter  heap  depends  on  the  initial  content 
(in  U)  of  some  related  node  m,  or  on  the  inputs  to  certain  executions 
in  co. 

5.  Those  are  just  the  executions  whose  durations  in  co  contain  Ent(e,l). 

Thus  the  values  of  the  output  entries  of  e  may  depend  on  the  inputs 

to  another  execution  e'  in  co.  It  will  be  seen  that  there  is  such  a 
dependence  iff  e  is  in  the  reach  of  e',  and  if  so,  the  dependence  will  be 
that  dictated  by  the  Atomic  or  Structure  Output  Constraint.  If  e  is  in 
no  reach,  then  its  outputs  depend  just  on  the  initial  content  of  m.  The 
outputs  of  another  execution  e'  in  another  computation  in  the  same  job 
may  depend  in  the  same  way  on  that  initial  content,  if  e'  does  not  fall 
into  a  reach  either.  In  this  case,  the  outputs  of  the  two  executions  will 
be  equal,  as  required  by  the  Initial  Structure  Constraint.  Similar 
reasoning  applies  to  the  remaining  two  Constraints. 

The  first  two  subsections  below  describe  the  construction  of  a  heap 
(N,n,SM)  from  a  computation:  N  and  II  in  Section  5.2.1  and  SM  in  Section 
5.2.2.  Section  5.2.3  then  proves  that  t}(5,0)  determines  the  heap  in  S'  9. 

5.2.1  Node  Activation  Records 

A  firing  sequence  6  starting  in  initial  state  S  *  (r,U)  determines  a 
heap  in  the  manner  prescribed  in  Definition  2.3-1;  this  is  the  heap  in 

the  state  being  denoted  as  S' 0.  The  goal  here  is  to  define  the  heap  i 

I 

determined  from  an  Initial  heap  by  a  computation  in  such  a  way  that  the  * 

heap  determined  from  U  by  ^(5,0)  is  the  heap  in  S'Q.  This  development  la 
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comp  lica  ted  by  the  fact  that  there  Is  not  quite  enough  information  in  a 
computation  to  completely  determine  a  heap  from  just  U.  The  present  sub¬ 
section  seeks  to  discover  what  information  is  missing  from  a>,  and  how  it 
might  best  be  supplied;  the  search  commences  by  examining  9  to  see  what 
information  it  uses  to  determine  a  heap. 

A  heap  (Definition  2.2-2)  is  an  ordered  triple  (NJl.SM),  where 

N  is  a  set  of  active  nodes 

n  is  a  one-to-one  function  from  V  onto  N 

P 

SM  is  a  function  assigning  a  content  to  each  node  in  N. 

Let  U  be  (NQ»ng,SMg)  and  let  the  heap  in  5*9  be  (N,n,SM).  Then  N  consists 
of  the  nodes  in  plus  those  activated  by  Copy  firings  in  0.  A  Copy 
firing  can  activate  any  arbitrary  node  not  already  in  the  heap.  Therefore, 
determining  N  requires  explicitly  specifying  which  nodes  are  activated  by 
firings  in  0.  Similarly,  n  consists  of  I7q  plus  an  association  of  a  unique 
pointer,  also  chosen  arbitrarily,  with  each  node  in  N-Nq.  Hence,  deter¬ 
mining  17  requires  explicitly  specifying,  for  each  node  activated  by  a  Copy 
firing  in  0,  the  pointer  which  points  to  it.  Finally,  the  content  SM(n) , 
for  any  n€N,  is  determined  from  the  initial  content  of  a  related  node  m, 
plus  the  inputs  to  certain  firings  in  9.  As  shown  in  Section  5.1.6,  m  is 
the  unique  node  in  from  which  n  is  dynamically  descended  in  9.  Thus  it 
is  necessary  to  know,  for  each  n€N-Ng,  which  Copy  firing  activated  n  (to 
determine  its  corresponding  m)  and  which  pointer  points  to  n  (to  determine 

n). 
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Thls  Information  was  embedded  In  the  firing  sequence  8  by  making 
each  firing  (p  of  a  Copy  labelled  C  be  ip  *  (C,(p,n));  this  specifies 
explicitly  that  the  node  activated  by  <p  is  n,  and  that  the  pointer  to  n 
is  p  (i.e.,  n(p)  ■  n)  .  The  canonical  computation  co  ■  r)(S,2),  however, 
does  not  contain  all  of  this  Information.  For  example,  a  computation 
contains  no  nodes,  so  a  separate  listing  of  the  nodes  in  N-Nq  will  be 
needed.  There  are  pointers  explicit  in  co:  Let  p  be  the  value  of  the 
tokens  output  by  the  k^  firing  of  Copy  operator  C  in  2.  If  one  of 
these  is  removed  by  a  subsequent  firing  in  £2,  then  the  execution  Ex(C,k) 
has  output  entries  in  u>  with  value  p.  However,  if  none  of  these  tokens 
is  removed  by  firings  in  2  (which  is  possible),  then  Ex(C,k)  has  no 
output  entries  in  co;  i.e.,  even  though  p  is  in  dom  n,  it  does  not 
necessarily  appear  in  a>.  Thus  the  only  way  to  guarantee  that  the  pointers 
pointing  to  all  of  the  nodes  in  N-N^  are  known  is  to  supply  a  separate 
list  of  them.  Furthermore,  each  pointer  in  this  list  must  be  paired  with 
the  node  to  which  it  points.  The  set  of  ordered  pairs  in  FI-TIq  contains 
all  of  the  above  Information. 

Finally,  in  order  to  determine  all  dynamic  descendancy  relations, 
the  nodes  in  N-N^  must  be  paired  with  the  Copy  executions  initiated  in  a. 
All  of  the  above  lists  and  pairings  can  concisely  be  made  explicit  in 
the  form  of  a  node  activation  record: 

Definition  5.2-1  Given  an  interpretation  Int,  a  domain  of  pointers, 
and  a  domain  N  of  nodes,  a  node  activation  record  is  a  function 

NAR:  C  VxN 
P 
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where  C Is  a  set  of  executions  of  the  Copy  action,  per  Int. 

Denote  by  "ran  NAR"  the  multiset^  containing,  for  each  C(C,  the  ordered 
pair  which  is  NAR(C) . 

A 

A  node  activation  record  NAR  should  contain  enough  additional 
information  for  a  computation  co  to  determine  a  heap  from  an  initial  heap. 
Specifically,  each  Copy  execution  initiated  in  should  be  associated  by 
NAR  with  a  pointer-node  pair.  These  associations  may  in  fact  duplicate 
information  in  co:  In  addition  to  the  pointer  value  associated  with  Copy 
execution  C  by  NAR,  there  may  be  pointer-valued  output  entries  of  C  in  u>; 
if  so,  the  two  pointer  values  should  of  course  be  the  same.  Any  node 
activation  record  satisfying  these  two  properties  is  compatible  with  a>: 

Definition  5.2-2  Given  an  interpretation  Int  and  a  computation  co  for  Int, 
any  node  activation  record  NAR  is  compatible  with  w  iff,  for  every  Copy 
execution  C  Initiated  in  co  with  respect  to  Int: 

1.  NAR(C)  is  defined,  and 

2.  if  there  are  output  entries  of  C  in  co,  then  the  value  of  those 
entries  is  the  pointer  in  the  ordered  pair  which  is  NAR(C) . 

A 

In  the  heap  (N,n,SM)  determined  by  a  computation  w  from  an  initial 
heap  U  -  (N0,n0,SMo)  and  a  compatible  node  activation  record  NAR,  n  is 
formed  by  appending  to  ITq  the  multiset  of  pointer-node  pairs  in  ran  NAR. 
Since  any  IT  must  be  one-to-one,  for  each  pair  (p,n)  in  ran  NAR,  there  can 
be  no  (p',n)  for  p'jfp  or  (p,n')  for  nVn  either  in  or  in  ran  NAR. 

^multiset:  Analogous  to  a  set,  but  elements  may  appear  more  than  once. 

[25,  p.  627] 
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Furthermore,  for  each  (p,n)€TI,  there  must  be  a  unique  node  m  in  Nq  such 
that  SM(n)  can  be  based  on  the  Initial  content  SMg(m) .  As  explained  in 
Section  5.1.6,  p  is  dynamically  descended  in  co  from  the  pointer  to  m. 
However,  if  the  same  pair  (p.n)  appears  twice  in  ran  NAR,  or  is  both  in 
ran  NAR  and  in  n^,  then  p  may  be  dynamically  descended  in  co  from  pointers 
to  two  different  nodes  in  Nq.  This  is  because  by  compatibility,  either 
two  different  Copy  executions  may  have  output  entries  of  value  p,  or  p  is 
the  value  of  the  output  entries  of  a  Copy  execution  even  though  n  itself 
is  in  Nq.  In  order  to  simplify  the  determination  of  m,  then,  this  ambigu¬ 
ity,  along  with  the  possibility  that  FI  will  not  be  one-to-one,  are 
disallowed;  l.e.,  the  heap  determined  by  co  from  U  and  NAR  is  defined  only 
if  ran  NAR  is  consistent  with  U: 

Definition  5.2-3  A  multiset  AP  of  pointer-node  pairs  is  consistent  with 
a  heap  U  ■  (N,IT,SM)  iff  no  pointer  or  node  in  a  pair  in  AP  is  also  in  any 
other  pair  in  either  AP  or  n.  ^ 

Given  a  compatible  and  consistent  node  activation  record  NAR,  any 
computation  should  be  able  to  determine  a  new  heap  from  any  initial  heap. 
It  is  desired  that,  in  particular,  the  computation  r\(S,0)f  for  any  initial 
state  S  -  (r,D)  and  firing  sequence  6  starting  in  5,  should  determine  from 
U  •  (N0,n0,SM0)  the  heap  (N,n,SM)  in  S' Q.  This  requires  that  ran  NAR 
should  equal  the  set  of  pointer-node  pairs  IWTq,  which  is  in  turn  just  the 
set  of  ordered  pairs  in  the  Copy  firings  in  6.  If  the  k**1  firing  of  Copy 


actor  d  in  0  is  (d,(p,n)),  then  that  firing  places  tokens  of  value  p 
d's  output  area  (Definition  2.3-1).  Then  if  Copy  execution  Rx(d,k)  has 
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output  entries  In  11(5,6),  they  have  value  p  (Lemma  4.3-1).  For  compati¬ 
bility,  therefore,  the  appropriate  node  activation  record  is  one  which 
associates  (p,n)  with  Ex(d,k): 

Definition  5.2-4  Given  any  LflS  program  P,  let  6  be  any  firing  sequence 
starting  in  an  initial  state  for  P,  and  let  co  be  any  computation  for 
Int(P) .  Then  the  node  activation  record  derived  from  6  and  co,  NAR,  is 
specified  as  follows: 

1.  NAR(C)  is  defined  iff  C  is  a  Copy  execution  initiated  (wrt  Int(P)) 
in  co. 

2.  For  any  such  Copy  execution  C,  let  d  and  k  be  the  label  and  integer 

kt. 

such  that  C  -  Ex(d,k).  Then  NAR(C)  ■  (p,n),  where  the  k  .firing 
of  d  in  6  is  (d,(p,n)). 

A 

Lemma  5.2-2  below  verifies  that  the  node  activation  record  derived  from 
6  and  ii(5,0)  is  compatible  with  ti(5,0),  and  that  its  range  is  consistent 
with  the  heap  in  5.  This  is  preceded  by  a  confirmation  of  the  cumulative 
effect  of  Copy  firings  in  a  firing  sequence. 

Lemma  5.2-1  Let  5  be  any  Initial  (standard  or  modified)  state  for  an  Lg,, 
program,  and  let  8  be  any  firing  sequence  starting  in  5.  Let  6<p  be  any 
prefix  of  £  In  which  9  is  a  Copy  firing  (d,(p,n)).  Then  for  any  prefix  A 
of  8, 

I A I  <  |e<p|  -  p/dom  n  and  n£N  in  5*  A*  and 
| A |  >  |0<p|  *»  pfdom  n  and  nfN  in  5>A> 

Proof:  Prove  the  second  implication  first,  by  Induction  on  the  length  of  A. 


Basis:  |a|  -  | ©<p |  - 

(1)  (p,n)  is  added  to  IT  in  going  from  S-0  to  S*0<p  »  S*A  Def.  2.3-1 

(2)  pfdom  n  and  n€N  in  5'A  (1)+Def.  2.2-5 

Induction  step:  Assume  the  second  part  of  the  Lemma  is  true  for  the 
length-k  prefix  A  of  2,  ) 0u> J  5  k  <  |&|  and  consider  the  prefix  A cp*  of 
length  k+1. 

(3)  pfdom  IT  and  n€N  in  S‘ A  ind.  hyp. 

(4)  dom  n  in  S'  A  is  a  subset  of  dom  n  in  5’Acp'  and  N  in  S’  A  is  a  subset 

of  N  -a  S’A^'  Def.  2.2-5 

(5)  p(dom  IT  and  n€N  in  S’  A<p'  (3)+(4) 

Thus  it  is  proven  by  induction  that 

(6)  | A f  >  |0«p|  »  p(dom  n  and  n(N  in  S*A 

Now  prove  the  first  part  of  the  Lemma  by  contradiction.  Assume 

(7)  There  is  a  prefix  A  of  Q,  |a|  <  ]  0<p  { ,  such  that  p€dom  n  or  n€N  in5'A 

By  the  Induction  above,  since  | 0 |  ?  | A ] a 

(8)  p€dom  n  or  nfN  in  5*0  (2)+(6) 

(9)  (p,n)  cannot  be  added  to  IT  in  going  from  5*0  toS*0<p  (8)-H)ef.  2.2-5 
Since  (7)  leads  to  a  contradiction  between  (1)  and  (9),  (7)  is  false. 


Lemma  5.2-2  Given  an  L^s  program  P,  let  S  -  (T,U)  be  any  initial  state 
for  P.  Let  Q  be  any  firing  sequence  starting  in  5,  and  let  a>  “  r)(S,2). 
Then  the  node  activation  record  derived  from  Q  and  co  is  meaningfully 
defined  and  is  compatible  with  co,  and  ran  NAR  is  consistent  with  U. 


Proof: 

(1)  <»  is  a  computation  for  lnt(P) 


lemma  4.3-3 
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(2)  Let  Int(P)  -  (St,/, IE).  The  definition  of  NAR  makes  sense  iff,  for 

every  execution  C  ■  Ex(d,k)  initiated  in  co  wrt  Int(P),  /(d)  ■  Copy 
=»  there  are  at  least  k  firings  of  d  in  2  (1)+Def.  5.2-4 

(3)  C  is  initiated  in  co  and  /(d)  ■  Copy  =>  there  is  In(Copy)  *  1  input 

entry  to  C  in  co  Defs.  4. 3-1+4. 2-6 

(4)  NAR  is  meaningfully  defined  (3)+(2)+Lemma  4.3-1 

(5)  For  every  Copy  execution  C  initiated  in  co,  NAR(C)  is  defined 

Def.  5.2-4 

(6)  Let  (p^,n^)  and  (p^.n^)  be  any  two  distinct  pairs  in  the  multiset 

ran  NAR.  Let  C^  and  C^  be  the  two  Copy  executions  such  that,  for 
1*1,2,  NAR(C^)  ■  (p^.n^),  and  let  d^  and  k^  be  such  that  C^  * 
Ex(di,ki).  Then  (p^n^)  is  in  the  k*h  firing  in  2  which  contains 
dA  Def.  5.2-4 

(7)  The  k**1  firing  of  d^  and  the  k^  firing  of  d ^  are  distinct  firings 

in  2.  Assume,  without  loss  of  generality,  that  the  k^  firing  of 
is  the  later  of  these.  I.e.,  there  is  a  prefix  9cp^AcP2  £ 
in  which  -  *di'^pi,ni^  (6) 

(8)  Let  the  heap  in  S’0<j>^  be  (NJI.SM)  and  let  0  be  (NqJIq.SMq).  Then 

since  | ©cp^ |  <  (e^A^I  and  |\|  <  |eq>jA<p2|,  P2<dora  n,  n^N, 

P2^dom  nQ,  and  n2)fl»0  (7)+Lemma  5.2-1 

(9)  Pj€dom  n  and  n^€N,  so  P2^P^  and  n^n^  (8)+(7)+Defs.  2. 3-1+2. 2-5 

(10)  For  any  pair  in  ran  NAR,  neither  the  pointer  nor  the  node  in  that 

pair  is  in  any  other  pair  in  either  ran  NAR  or  FIq »  i.e.,  ran  NAR 
is  consistent  with  0  (6)+(8)+(9)+Def .  5.2-3 

(11)  Let  C  be  any  Copy  execution  initiated  in  co,  and  let  d  and  k  be  such 
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that  C  “  Ex(d,k).  C  has  output  entries  In  to  =»  there  is  a  prefix 
&p  of  S  containing  exactly  k  firings  of  C  such  that  tokens  of 
value  p  appear  on  the  output  arcs  of  the  actor  labelled  d  in  P  at 
the  transition  from  S'&  to  Leuna  4.3-1 

(12)  «•  that  transition  is  the  result  of  the  kth  firing  of  d  in  2,  and 

3n (N:  (p,n)  is  added  to  IT  at  that  transition  Def .  2.2-5 

(13)  =>  (p,n)  is  in  that  firing  Def.  2.3-1 

(14)  =»  NAR(C)  -  (p,n)  (ll)-H)ef.  5.2-4 

(15)  If  C  has  output  entries  in  co,  their  value  is  the  pointer  in  NAR(C) 

(11)+(14) 

(16)  NAR  is  compatible  with  co  (l)+(5)+(15)+Oef .  5.2-2 

A 

The  following  definition  of  a  quasi-inverse  of  a  node  activation 
record  will  prove  very  convenient: 


Definition  5.2-5  Given  a  node  activation  record 

NAR:  C  V 
P 

the  Creatlng-Copy  function  corresponding  to  NAR, 

CC:  V  C 
P 

is  given  by 

!C  if  there  is  an  n(N  such  that  NAR(C)  •  (p,n) 

undefined  otherwise 

A 

For  any  pointer  p,  CC(p)  is  the  Copy  execution  whoso  output  entries  have 
value  p,  as  the  following  lemma  shows: 
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Lemma  5.2-3  Let  5  be  any  initial  standard  state  for  an  LfiS  program  F,  and 
let  2  be  any  firing  sequence  starting  in  5.  Let  be  the  canonical 
computation  t}(S,2),  and  let  the  heap  in  5  be  (N,n,SM).  Let  NAR  be  the 
node  activation  record  derived  from  2  and  tj,  and  let  CC  be  the  correspon¬ 
ding  Creating-Copy  function.  For  any  pointer  p  which  is  the  value  of  an 
entry  in  t): 

p  is  the  value  in  r)  of  the  output  entries  of  a  Copy  execution 
=»  p  i  don  n 

=»  CC(p)  is  defined,  the  first  entry  in  t]  with  value  p  is  an  output 

entry  of  CC(p),  that  entry  is  strictly  preceded  by  Ent(CC(p) ,1) , 
and  there  is  no  other  Copy  execution  whose  output  entries  have 
value  p. 

Proof :  Prove  the  second  implication  first. 

(1)  Let  p  be  any  pointer  not  in  dom  n  which  is  the  value  of  some  entry 

in  T).  Then  either  some  firing  in  2  removes  a  token  with  value  p 
or  2  is  halted  and  there  is  a  token  with  value  p  on  an  arc  in 
S' 2  Alg.  4.3-1 

In  what  follows,  alternatives  in  parentheses  refer  to  the  case  that  2  is 
halted  and  no  firing  in  it  removes  a  token  of  value  p. 

(2)  Let  0<p  be  the  prefix  of  2  such  that  <p  is  the  first  firing  (if  there 

is  one)  in  2  to  remove  a  token  with  value  p.  Let  b  be  an  arc  of 

P  from  which  such  a  token  is  removed  by  cp  (or  let  b  be  an  arc  on 

which  there  is  a  token  of  value  p  in  5*2) .  Either  that  token  is 
on  b  In  S  or  it  is  placed  there  by  some  firing  <p'  In  6  (or  in  2) 

of  'the  actor  d  of  which  b  is  an  output  arc  (1)+Def.  2.1-5 
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(3)  If  that  token  in  on  b  in  S,  then  p  is  in  don  II  Def .  2.2-6 

(4)  That  token  is  placed  on  b  by  a  firing  <p *  of  d  in  6  (or  2) (l)+(3)+(2) 

(5)  Let  A  be  such  that  Ap'  Is  s  prefix  of  6  (or  2).  <p *  does  not 

remove  a  token  with  value  p  (4)+(2) 

(6)  d  is  either  a  Select  or  a  Copy  operator  (4)+(5)+Defs.  2. 2-5+2. 2-4 

(7)  Let  n  be  n(p) .  Since  pldom  n,  nfh,  so  theTe  is  no  node  m  and 

selector  s  such  that  (s,n)€SM(a)  in  S  Def.  2.2-1 

(8)  For  any  prefix  Sep"  of  A,  if  there  is  a  node  m  and  selector  s  such 

that  (s,n)€SM(m)  in  S*E<p",  then  either  (s,n)  Is  in  SM(n)  In  S' S  or 
<p"  is  an  Update  firing  which  removes  a  token  of  value  p  Table  2.2-1 
Thus  by  induction,  since  no  firing  in  A  removes  a  token  of  value  p, 

(9)  There  is  no  m  and  s  such  that  (s,n)(SM(m)  in  S' A  (2)+(5) 

(10)  d  is  a  Select  operator  «  there  Is  a  node  m  and  selector  s  such 

that  (s,n)€SM(m)  in  S'A  Table  2.2-1 

(11)  d  is  not  a  Select  operator  (9)+(10) 

(12)  d  is  a  Copy  operator  (6)+(ll) 

(13)  There  is  no  entry  with  value  p  in  co(S,9)  (or  co(S,2))  (2)+Alg.  4.3-1 

(14)  Letting  Int(P)  *  (St, /, IE),  there  is  an  entry  with  value  p  in 

c>)(S,6«p)  (or  Tj(S,2)),  that  is  an  output  entry  of  execution  Ex(d,k) 
for  some  k,  and  /(d)  -  Copy  (2)+(4)+(12)+Alg.  4.3-1+Def.  4.3-2 

(15)  <u(S,0(p)  (or  ri(S,2))  is  a  prefix  of  rj  Alg.  4.3-1 

(16)  The  first  entry  in  r)  with  value  p  is  a  output  entry  of  a  Copy 

execution  C  ■  Ex(d,k)  (13)+(14)+(15) 

(17)  T)  is  causal  with  respect  to  Int(P)  Lemma  4.3-2 
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(18)  The  initiating  entry  to  C  strictly  precedes  the  first  entry  in  r| 

with  value  p,  so  C  is  initiated  in  rj  (17)+(16)+Def .  4.2-7 

(19)  Since  d  has  only  a  number-1  input  arc,  that  initiating  entry  can 

only  be  Ent(C,l)  Alg.  4.3-1 

(20)  NAR  is  compatible  with  r)  and  ran  NAR  is  consistent  with  the  heap 

in  S  Lemma  5.2-2 

(21)  There  is  a  node  n  such  that  (p,n)  =  NAR(C)  (20)+(18)+(16)+Def •  5.2-2 

(22)  CC(p)  is  defined  and  equals  C  (21)+Def.  5.2-5 

(23)  There  is  no  other  Copy  execution  C'  and  node  n'  such  that 

(p,n')  =  NAR(C')  (20)+Defs.  5. 2-3+5. 2-4 

(24)  There  is  no  other  Copy  execution  of  which  p  is  the  value  of  the 

output  entries  (20)+(23)+Def .  5.2-2 

Now  prove  that  if  p  is  the  value  in  rj  of  the  output  entries  of  a  Copy 
execution  C  =  Ex(d,k),  then  p^dom  n. 

(25)  There  is  a  node  n  such  that  (p,n)  *  NAR(C)  (16)-(21) 

(26)  The  kth  firing  of  d  in  2  is  (d,(p,n))  (25)+Def.  5.2-4 

(27)  Let  A<p  be  any  prefix  of  &  such  that  ip  *  (d,(p,n)).  Then  since 

| X |  <  |  A<p |  •  p^dom  n  in  S’\  **  S  (26)+Lemma  5.2-1+Def.  2.3-1 

A 

5.2.2  The  Contents  Determined  by  a  Computation 

With  the  additional  information  supplied  by  a  compatible  and  consist¬ 
ent  node  activation  record  NAR,  a  computation  to  can  determine  a  heap 
(N,n,SM)  from  an  Initial  heap  U  *  ^No’^0,SM0^'  N  and  n  are  constructed 
directly  from  NAR  as  follows:  n  is  T1q  plus  the  pairs  in  ran  NAR,  and  N  is 
the  set  of  nodes  in  the  ordered  pairs  in  IT.  All  that  remains  is  to 
establish  how,  for  each  node  n€N,  to  determines  the  content  SM(n)  from  U 
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and  NAR.  There  are  two  cases  to  consider:  a  given  content  either  Is  or 
Is  not  dependent  on  some  executlon(s)  In  co. 

5. 2. 2.1  Contents  Dependent  on  Executions  In  co 

Let  £  be  any  firing  sequence  starting  in  any  initial  state  S  =  (r,U), 
and  let  Acp  be  any  prefix  of  £>.  The  intent  here  is  that  the  heap  deter¬ 
mined  from  U  by  a  *  r)(£,A)  should  be  the  heap  (NJT.SM)  in  £*A.  Assume 
that  the  last  firing  (p  in  A<p  is  the  k1"*1  firing  of  Fetch  operator  d,  and 
that  cp  accesses  node  n.  Two  conclusions  can  be  drawn  about  the  value  v 
output  by  <p:  (1)  it  is  the  value  in  SM(n)  (Table  2.2-1)  and  (2)  it  is  the 
value  of  the  output  entries  in  u  ■  t](£,S2)  of  F  *  Ex(d,k)  (Lemma  4.3-1). 
Therefore,  a  should  determine  that  the  value  in  SM(n)  is  the  value  of 
the  output  entries  of  F  in  co. 

It  has  already  been  argued  (Section  5.1.4)  that  if  f  *  Ent  (F,l) 

CO 

falls  into  the  duration  D(A)  of  some  Assign  execution  A,  then  the  output 
entries  of  F  have  value  V(Ent  (A, 2)).  If  f  is  in  D(A),  then,  letting 

CO 

p  *  V(f) ,  either: 

(a)  Ent  (A,l)  is  the  last  input  entry  of  an  Assign  execution  preceding 

co 

f  in  H63,  or 
P 

(b)  there  is  no  input  entry  to  an  Assign  execution  preceding  f  in  H^, 
there  is  a  Copy  execution  C  which  has  output  entries  of  value  p  in 
co,  and  Ent  (C,l)  is  in  D(A)  (or  alternatively,  C  is  in  the  reach 

CO 

R(A)  in  co) . 

A  simple  Inductive  argument  shows  that  A  initiates  before  F:  In  case  (a) 
above,  A  must  initiate  before  F  by  definition  of  access  history,  and  in 
case  (b),  C  must  initiate  before  F  (Lemma  5.2-3)  and  A  must  initiate 
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before  C  by  induction  hypothesis.  Therefore,  A  can  be  identified  from  the 
shortest  prefix  of  go  in  which  F  is  initiated;  this  is  £  ■  r)(£,A<p). 

The  goal  is  to  determine  SM(n)  (which  requires  finding  A)  from  just 
a  *  r](S,A).  Entry  f  is  not  in  any  access  history  in  a,  and  so  A  cannot 
be  Identified  as  the  Assign  execution  whose  duration  contains  f.  Since  p 
is  a  followed  by  the  input  entries  to  F,  however,  F  is  the  last  execution 
initiated  in  6-  Therefore,  is  Ha  followed  by  f;  i.e.,  Ha  is  the  prefix 

H  p  p  '  p  k 

of  H“  preceding  f.  From  this  and  the  above,  f  is  in  D(A)  in  go  iff: 

P 

(a)  Ent^(A,l)  is  the  last  input  entry  to  an  Assign  execution  in  H^,  or 

(b)  there  is  no  input  entry  to  an  Assign  execution  in  Ha,  there  is  a 

P 

Copy  execution  C  which  has  output  entries  of  value  p  in  go,  and  C 
is  in  R(A)  in  a. 

This  characterization  of  A  still  relies  oh  information  which  may  not 
be  in  a:  It  is  possible  that  f  is  the  first  entry  in  co  with  value  p.  If 
so,  then  there  is  no  Assign  Input  entry  in  H°,  and  the  Copy  execution  C 
has  no  output  entries  in  a.  Given  a  node  activation  record  NAR  which  is 
compatible  with  co,  however,  it  is  known  that  if  any  Copy  execution  has 
output  entries  in  co  of  value  p,  it  is  the  one  which  created  p,  CC(p) . 

Thus  it  is  possible  to  identify,  from  just  a  and  NAR,  any  Assign  execution 

A  whose  duration  in  co  contains  Ent  (F,l).  It  will  be  said  that  this 

co 

duration  of  A  "extends  to  the  end  of  Ha"  (even  though  Ha  may  be  empty) : 

P  P 

Definition  5.2-6  (Durations  extending  to  the  end  of  an  access  history) 
Given  any  Interpretation  Int,  computation  a  for  Int,  and  node  activation 
record  compatible  with  a,  let  CC  be  the  Creating-Copy  function  correspon¬ 
ding  to  that  node  activation  record.  Denote  by  AS  the  set  of  Assign 


executions  initiated  in  a,  and  by  SS  the  set  of  all  Update  and  Delete 

executions  initiated  in  a.  Denote  by  APS  the  set  (Ent^Ce, 1) |  e€AS},  and 

for  each  U€SS,  denote  by  SPS(U)  the  set 

{Ent  (e,l)  I  e€SS  and  V(Ent  (e,2))  -  V(Ent  (U,2))}. 
a  a  a. 

For  each  AfAS  and  pointer  p,  the  duration  D(A)  extends  to  the  end  of 

Ha  iff: 

— P 

1.  Ent  (A,l)  is  the  last  entry  from  APS  in  Ha,  or 

a  p 

2.  There  is  no  entry  from  APS  in  H®,  and  CC(p)  is  defined  and  is  in 
R(A)  in  a. 


For  each  U€SS  and  pointer  p,  the  duration  D(U)  extends  to  the  end  of 

Ha  iff: 

"P 

1.  Ent  (U , 1)  is  the  last  entry  from  SPS(U)  in  Ha,  or 

u  p 

2.  There  is  no  entry  from  SPS(U)  in  Ha,  and  CC(p)  is  defined  and  is  in 

P 

R(U)  in  a. 

A 

The  foregoing  argument  can  be  summarized  thusly:  Given  a  firing 
sequence  A  starting  in  S  *»  (T.U) ,  it  is  desired  that  the  computation 
a«r|(S,A)  should  determine  from  U  the  heap  (N,n,SM)  in  S'  A-  For  any 
pointer  p,  let  n  be  n(p),  and  assume  that  there  is  an  Assign  execution  A 
such  that  D(A)  extends  to  the  end  of  H^.  The  following  chain  of  infer¬ 
ences  can  then  be  drawn: 

There  is  a  firing  sequence  A(p  in  which  is  the  ktl1  firing  of  Fetch 
operator  d  and  (p's  pointer  input  is  p 
•  <p  outputs  the  value  in  SM(n) ,  and  there  is  a  computation  p  »  r|(£,Acp) 


In  which,  for  Fetch  execution  F  -  Ex(d,k),  Ent  (F,l)  falls  into  D(A) 

P 

(Lemma  5.2-7  below),  so  that  F  is  in  R(A)  in  (3 
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=»  F  is  in  R(A)  in  any  computation  co  of  which  (3  is  a  prefix 

*»  if  F  has  output  entries  in  co,  their  value  equals  the  value  output 

by  m,  and  their  value  equals  V(Ent  (A, 2)) 

co 

=»  the  value  in  SM(n)  is  V(Ent  (A, 2))  =  V(Ent  (A, 2)). 

co  a 

SM(n)  cannot  depend  on  what  firings  may  or  may  not  occur  after  A. 

Therefore,  the  conclusion  is  that  if  D(A)  extends  to  the  end  of  Ha, 

P 

then  the  value  in  SM(IT(p))  is  V(Ent  (A, 2)). 

a 

5. 2. 2. 2  Contents  Not  Dependent  on  Executions  in  to 

It  remains  now  to  consider  the  case  of  a  pointer  p  for  which  there 

is  no  Assign  execution  whose  duration  extends  to  the  end  of  Ha.  In  this 

P 

case,  a  similar  Inference  can  be  drawn,  with  the  aid  of  the  argument 
advanced  in  Section  5.1.6: 

th 

There  is  a  firing  sequence  Acp  in  which  cp  is  the  k  firing  of 
Fetch  operator  d  and  (p's  pointer  input  is  p 
=»  in  any  computation  co  of  which  rjCS’.Acp)  is  a  prefix  and  in  which 
Fetch  execution  F  -  Ex(d,k)  has  output  entries,  their  value  equals 
the  value  in  SM(n)  and  their  value  equals  the  value  in  SM^(m),  where 
(q,m)€TlQ  and  DD^(q,p);  i.e.,  p  is  dynamically  descended  from  q  in  co. 
This  determination  of  the  value  in  SM(n)  suffers  from  a  familiar 
shortcoming:  The  goal  is  to  determine  SM(n)  from  just  a  *  T)(S,A),  U, 
and  a  node  activation  record.  It  is  required  to  discover  the  particular 
qfdom  I7q  from  which  p  is  dynamically  descended  in  co  (Lemma  5.2-4  below 
proves  that  q  is  unique  in  dom  TTq)' -  From  Definition  5.1-9,  DD(p,p)  in 
any  computation;  thus,  if  p  is  in  dom  rig,  then  q  -  p.  Otherwise,  if  there 
are  entries  in  a  with  value  p,  then  DD  (q,p)  iff  DD  (q,p).  But  it  is 


possible  that  there  are  no  such  entries  in  a;  in  this  case,  it  is  meaning¬ 
less  to  speak  of  p's  being  dynamically  descended  in  a  from  any  pointer  in 


dom  nQ •  Therefore,  q  cannot  be  defined  as  the  unique  pointer  in  dom 

such  that  DD  (q,p). 
a 

Fortunately,  q  can  be  determined,  in  an  indirect  manner,  from  just 

a,  U,  and  the  node  activation  record  NAR  derived  from  A  and  a:  Let  p  be 

r]C5,Acp),  let  NAR*  be  the  node  activation  record  derived  from  A <p  and  p, 

and  let  CC  and  CC  be  the  Creatlng-Copy  functions  corresponding  to  NAR 
a  p 

and  NAR'.  The  computation  p  consists  of  a  followed  by  Ent  (F,l),  which 

P 

entry  has  value  p.  If  pldom  ITq,  then  p  is  the  value  in  p  of  the  output 

entries  of  Copy  execution  C  -  CC  (p) ,  and  C  initiates  in  a  (Lemma  5.2-3). 

P 

Since  NAR'  is  compatible  with  p  (Lemma  5.2-2),  NAR'(C)  is  defined  and 

equal  to  the  pair  (p,n),  for  some  n.  NAR(C)  is  also  defined  and  equal  to 

NAR'(C)  (Lemma  5.2-5  below).  Therefore,  CC  (p)  -  CC  (p)  ■  C. 

a  P 

Thus  if  p^dom  FIq,  it  is  the  value  in  p  (hence  in  go)  of  the  output 

entries  of  the  Copy  execution  CC  (p) ,  which  execution  can  be  identified 

a 

from  just  NAR.  Let  p'  be  the  value  of  Enta(CCQ(p) ,1) ;  for  any  q€dom  FIq, 

DD  (q,p)  iff  DD  (q,p')  iff  DD  (q,p').  Therefore,  if  pldom  n_,  q  is 

CO  CO  CL  U 

determined  to  be  the  unique  pointer  in  dom  Jl.  from  which  V(Ent  (CC  (p),l)) 

0  a  a 

is  dynamically  descended  in  a. 

The  derivation  just  given  is  summarized  in  the  following  sub-section 
as  the  definition  of  the  heap  determined  by  a  computation  from  an  initial 
heap  and  a  compatible  and  consistent  node  activation  record.  It  Is  then 
proven  that,  for  initial  state  S  -  (r,U)  and  firing  sequence  A  starting  in 
S,  a  ■  r|(5,A)  determines  the  heap  in  S* A  from  U  and  the  node  activation 
record  derived  from  A  and  a. 


rnmrnmm 
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5.2.3  Summary  and  Validation 

The  following  definition  assumes  that  for  each  pointer,  there  is  a 
unique  pointer  in  dom  from  which  it  is  dynamically  descended;  the 
validity  of  this  assumption  is  confirmed  immediately  after  the  definition. 


Definition  5.2-7  Given  any  heap  U  -  (Nq.Hq.SMq)  and  any  interpretation 
Int,  let  a  be  any  computation  for  Int  and  let  NAR  be  any  node  activation 
record  such  that  NAR  is  compatible  with  a  and  ran  NAR  is  consistent  with 
U.  Then  the  heap  determined  by  a  from  U  and  NAR,  (N^.n^.SM^) ,  is  defined 
as  follows: 


n  -  FT- Ur  an  NAR 
a  0 

Nq  -  {n|  3p:  (p,n)€TIa} 

Let  CC  be  the  Creating-Copy  function  corresponding  to  NAR.  For  each  pair 
(p,n)€TIa,  let  (q,m)  be  defined  as  follows: 

a.  If  (p,n)€l0,  then  (q,m)  -  (p,n). 

b.  If  (p,n)filg,  then  (q,m)  is  that  unique  pair  in  such  that 
V(Enta(CC(p) ,1))  is  dynamically  descended  from  q  in  a. 

Then  SM^(n)  is  given  by: 

1.  If  there  is  an  Assign  execution  A  such  that  D(A)  extends  to  the  end 

of  H°,  then  the  value  in  SM  (n)  is  V(Ent  (A, 2)).  Otherwise,  it  is 

p  a  a 

the  value  in  SM^(m) . 

2.  For  each  selector  s€Z,  if  there  is  an  Update  execution  U  such  that 

D(U)  extends  to  the  end  of  HS,  then  the  pair  (s,TI  (V(Ent  (U,3)))>  is 

p  a  a 

in  SM  (n) ,  and  is  the  only  pair  in  SM  (n)  containing  s.  If  there  is 
a  a 

a  Delete  execution  U  such  that  D(U)  extends  to  the  end  of  Ha,  then 

P 


-236- 


there  is  no  pair  containing  s  in  SMa(n) .  Otherwise,  for  any  node  r, 
(s,r)fSMa(n)  iff  (s,r) €SM0<m) . 

A 

Lemma  5.2-4  Let  S  ■  (r,U)  be  any  initial  state  for  an  L  program 

—  DO 

P,  where  U  *  (N,IT,SH).  Let  A  be  any  firing  sequence  starting  in  S ,  and 
let  a  -  Then  for  any  pointer  p  which  is  the  value  of  some  entry 

in  a,  there  is  a  unique  q€dom  n  such  that  DDQ(q,p). 

Proof:  By  contradiction.  Assume  that 

(1)  The  lemma  is  false 

(2)  There  is  a  prefix  yf  of  a  such  that  any  pointer  which  is  the  value 

of  an  entry  in  Y  is  dynamically  descended  from  a  unique  pointer 
in  dom  II,  but  p  -  V(f)  is  dynamically  descended  from  two  distinct 


pointers  in  dom  17  (1) 

(3)  p  is  the  value  of  the  output  entries  of  a  C  oy  execution  =* 

Pftdom  n  Lemma  5 . 2-3 

(4)  pfdom  n  =>  p  is  not  the  value  of  the  output  entries  of  a  Copy 

execution  (3) 

(5)  »  p  is  dynamically  descended  only  from  Itself  Def.  5.1-9 

(6)  *»  p  is  dynamically  descended  from  a  unique  pointer  in  dom  17  (4) 

(7)  f  is  the  first  entry  in  a  with  value  p  (2) 


(8)  pfdoa  17  *  f  is  an  output  entry  of  a  Copy  execution  C,  g  ■  EntQ(C,l) 

strictly  precedes  f  in  a  (l.e.,  g  is  in  y),  and  no  other  Copy 
execution  has  output  entries  in  a  of  value  p  (7)+Lemma  5.2-3 

(9)  Let  r  »  V(g) .  Then  for  any  q*p ,  DDa(q,p)  •  DDfl(q,r)  (8)+Def.  5.1-9 
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Since  r  Is  the  value  of  an  entry  in  y 

(10)  (2)  a  r  is  dynamically  descended  from  a  unique  pointer  in  dom  IT 

(9)+(8) 

Since  (2)  =•  p  is  dynamically  descended  from  two  pointers  in  dom  IT, 

(11)  (2)  m  r  is  dynamically  descended  from  two  pointers  in  dom  IT  (8)+(9) 
Since  (2)  Implies  a  contradiction  between  (10)  and  (11),  (1)  is  false,  and 
the  Lemma  is  true. 

A 

The  proof  that  t)(«?,a)  determines  the  heap  in^'A  is  by  induction  on 
the  lengths  of  the  prefixes  of  A*  Therefore,  it  is  necessary  first  to 
establish  that,  for  any  firing  sequence  6$,  the  key  entities  —  reaches, 
access  histories,  and  node  activation  records  —  derived  from  9  and  r)0S,6) 
are  subsets  of  (i.e.,  agree  with)  those  derived  from  0<p  and  r|(£,9(p).  This 
is  easily  done  for  the  latter  two  entities  in  the  following. 

Lemma  5.2-5  Let  +>  be  any  Initial  standard  state  for  an  L^s  program  P,  and 
let  6cp  be  any  firing  sequence  starting  in  S .  Let  the  last  firing  in  9<p, 

<p,  be  the  k**1  firing  of  an  actor  in  P  labelled  d.  Let  a  ■  r|(S,0)  and 
P  *  T](S,  8<p)  .  Then 

A:  For  any  pointer  p,  H®  is  a  prefix  of  H^,  any  input  entries  to  Ex(d,k) 

Q  Q  Q 

which  have  value  p  are  in  h£,  and  for  any  entry  Ent(e*,j)  in  “  Hp, 
e’  f  Ex(d,k)  =»  e*  is  not  a  structure  operation  execution. 

B:  Let  NAR  (NAR*)  be  the  node  activation  record  derived  from  6  and  h 
(6tp  and  p).  Then  for  any  Copy  execution  C  initiated  in  a, 

NAR' (C)  -  NAR(C) . 
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Proof : 

(1)  p  is  a  followed  by  m  Input  entries  to  Ex(d,k),  where  <p  removes  m 

tokens,  followed  possibly  by  Input  entries  to  executions  Ex(c,n) 
where  c®L  Alg.  4.3-1+Def.  4.3-1 

(2)  The  set  of  entries  in  a  whose  values  are  p  is  a  subset  of  the  set 

of  entries  in  p  whose  values  are  p,  and  for  any  j  less  than  or 
equal  to  the  number  of  executions  initiated  in  a,  the  j1*1 
execution  initiated  in  a  is  the  j**1  execution  initiated  in  p 

(1)+Def.  4.2-6 

(3)  Ha  is  a  prefix  of  HP  (2)+Def.  5.1-4 

P  P 

(4)  Letting  Int(P)  -  (St, /.IE),  m  -  In(/(d))  (1)+Defs.  4. 3-2+4. 3-1 

(5)  Ex(d,k)  is  initiated  in  p,  so  any  input  entries  to  it  which  have 

value  p  are  in  (l)+(4)+Defs.  4. 2-6+5. 1-4 

P 

(6)  For  any  entry  f  -  Ent(e',j)  where  e'  -  Ex(c,n),  f£H^  -  Ha  *»  e'  is 

P  P 

initiated  in  p  but  not  in  a  (2)+Def.  5.1-4 

(7)  =>  [e*  /  Ex(d,k)  «»  /(c)  is  not  a  structure  operation]  (1)+Def.  4.3-2 

(8)  Let  NAR  (NAR* )  be  the  node  activation  record  derived  from  6  and  a 

(&p  and  p) .  NAR  is  meaningfully  defined  Lemma  5.2-2 

(9)  Let  C  ■  Ex(d,k)  be  any  Copy  execution  initiated  in  a.  Then  there 

are  k  firings  of  d  in  0  and  the  k**1  of  these  is  (d,(p,n)),  where 
(p,n)  -  NAR(C)  (8)+Def .  5.2-4 

(10)  There  are  k  firings  of  d  in  6<p,  and  the  kth  of  these  is  (d,(p,n)), 

so  NAR’(C)  -  (p,n)  -  NAR(C)  (9)+Def.  5.2-4 

A 

The  need  to  show  that  the  reach  of  an  execution  in  one  computation  a 
is  a  subset  of  its  reach  in  another  computation  p  arises  in  several 
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situations  in  the  remainder  of  the  thesis.  In  two  of  these,  a  is  strongly 
related  to  {3:  either  it  is  a  prefix  or  it  is  a  permutation  which  preserves 
initiating  order  of  executions.  The  weakest  relation  obtains  in  the  case 
that  a  *  and  p  *  where  S  is  any  initial  modified  state, 

S'  is  the  corresponding  initial  standard  state,  and  2  is  any  halted  firing 
sequence  starting  in  S.  In  the  interest  of  efficiency,  these  needs  are 
anticipated  here  by  a  single,  general  proof  applicable  in  all  three  cases. 

A  study  of  the  definitions  of  reach  and  duration  reveals  the 
following  sufficient  conditions  for  the  reaches  in  a  to  be  subsets  of 
those  in  (3: 

1.  Every  structure  operation  execution  which  has  input  entries  in  a 
has  input  entries  of  the  same  values  in  p. 

2.  For  any  two  structure  operation  executions  e  and  e'  such  that 

Ent  (e,l)  is  in  an  access  history  in  a,  Ent  (e',1)  precedes  Ent  (e,l) 
a  a  1 

in  that  history  iff  EntQ(e',l)  precedes  Ent  fe,l)  in  an  access 

P  P 

history  in  p. 

3.  Every  Copy  execution  which  has  output  entries  in  either  a  or  p  has 
output  entries  of  the  same  value  in  both  computations. 

Given  the  first  of  these  conditions,  the  second  is  in  turn  guaranteed  if: 
2'.  For  every  structure  operation  execution  e  Initiated  in  a, 

a.  e  is  Initiated  in  {3,  and 

b.  for  any  other  structure  operation  execution  e1,  e'  Initiates 
before  e  in  a  iff  it  does  so  in  p. 

If  these  sufficient  conditions  hold  for  a  and  p,  then  p  is  structure- 
operation-execution  inclusive  of  a,  as  defined  formally  next. 


Definition  5.2-8  For  any  two  computations  a  and  p  for  the  same  interpre¬ 
tation  Int  ■  (St,  /,IE),  p  is  structure-operation-execution  inclusive 
(SOE-inclusive)  of  a  iff  the  following  are  all  true  (all  initiations  are 
with  respect  to  Int) : 

1.  Any  structure  operation  execution  initiated  in  a  is  initiated  in  p. 

2.  For  any  two  structure  operation  executions  e  and  e’  such  that  e  is 
initiated  in  a,  e'  is  initiated  before  e  in  a  iff  ef  is  initiated 
before  e  in  p. 

3.  For  any  Copy  execution  C  initiated  in  a,  C  has  output  entries  in 
P  only  if  C  has  output  entries  in  a. 

4.  For  every  entry  f €a,  there  is  an  entry  with  the  same  value  in  p 
whose  transfer  has  the  same  source  as  T(f ) . 

5.  For  any  non-pi  execution  e  and  for  any  j ,  if  there  is  an  entry 

Ent  (e,j)  in  a,  then  there  is  an  entry  Ent„(e, j)  in  p  with  the  same 
a  p 

value. 

A 

The  following  lemma  states  the  general  result  that  the  reaches  in  a 
are  subsets  of  those  in  p  if  either  a  is  a  prefix  of  p  or  P  is  SOE- 
inclusive  of  a.  Since  p  is  SOE-inclusive  of  any  of  its  permutations  which 
preserve  initiation  order  (Lenina  5.3-7),  this  covers  all  of  the  cases 
cited  above.  To  enable  a  simple  proof  by  induction  on  the  lengths  of 
the  prefixes  of  a,  a  further  requirement  is  Imposed:  For  any  pointer  p 
which  is  the  value  in  p  of  the  output  entries  of  a  Copy  execution  C,  the 
Initiation  of  C  precedes  in  p  the  initiation  of  any  e  such  that  Ent^(e,l) 
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is  in  H^.  If  p  Is  causal,  this  can  be  simplified  to  "the  first  entry  in 
P  with  value  p  is  an  output  entry  of  C",  since  that  entry  must  be  preceded 
by  C's  initiating  entry.  (Any  canonical  computation  p  meets  this  require¬ 
ment  by  Lemma  5.2-3.) 

Lemma  5.2-6  Let  a  and  p  be  any  two  causal  computations  for  the  same 
interpretation  Int  such  that  either  a  is  a  prefix  of  p  or  p  is  SOE- 
inclusive  of  a,  and  for  any  pointer  p,  p  is  the  value  of  the  output 
entries  in  p  of  a  Copy  execution  C  only  if  the  first  entry  in  p  with  value 
p  is  an  output  entry  of  C.  Let  e  be  any  structure  operation  execution 
initiated  in  a  wrt  Int.  Then  for  any  Assign,  Update,  or  Delete  execution 
A,  e  is  in  R(A)  in  p  iff  e  is  in  R(A)  in  a  only  if  A  is  initiated  in  a. 

Proof:  (As  with  the  succeeding  Lemma  and  Theorem  5.2-1,  the  proof  of  this 
is  essentially  a  tedious  manipulation  of  definitions;  therefore,  all  three 
proofs  may  be  found  in  Appendix  D.) 

A 

The  next  lemma  verifies  the  key  property  claimed  for  a  duration 
extending  to  the  end  of  an  access  history: 

Lemma  5.2-7  Let  S  be  any  initial  standard  state,  and  let  6(p  be  any  firing 

sequence  starting  in  5  in  which  the  last  firing  is  <p.  Let  a  “  r|(5,6)  and 

P  «  r)(5 , 6q>) .  Let  f  be  any  entry  in  p  but  not  in  a  whose  value  is  some 

pointer  p.  If  f  ■  Ent0(e,l)  for  some  execution  e,  then  for  any  other 

P 

execution  e',  f  is  in  duration  D(e')  in  p  iff  D(e’)  extends  to  the  end  of 

H**.  Furthermore,  if  0  ■  X,  then  no  durations  extend  to  the  end  of  Ha 
P  p 

for  any  p. 


A 


Now  it  is  straightforward  (if  tedious)  to  prove  formally  that  the 


foregoing  construction  was  correct: 

Theorem  5.2-1  Let  5  -  (T,U)  be  any  initial  standard  state  for  an  Lgg 
program  P,  and  let  $2  be  any  firing  sequence  starting  in  S.  Let  co  be  t)(£,q) 
and  let  NAR  be  the  node  activation  record  derived  from  Q  and  co.  Then  the 
heap  determined  by  co  from  U  and  NAR  is  defined  and  is  identical  to  the 
heap  in  the  state  S*2. 

A 

5.3  Validation  of  the  S-S  Model 

The  constraints  defining  an  S-S  model  were  constructed  in  such  a  way 
that  EE(LBg,S)  would  satisfy  them,  which  would  in  turn  mean  that  those 
constraints  do  define,  in  the  sense  being  used  here,  the  set  of  structure 
operations  in  LBg.  The  purpose  of  this  section  is  to  confirm  the  validity 
of  the  construction  by  means  of  a  rigorous  proof,  the  principle  of  which 
is  briefly  explained  next. 

In  the  five-tuple  (V,  L,  A ,  In,  E )  which  is  EE(L_C,S),  V,  A,  and  In 

DO 

obviously  meet  the  requirements  imposed  on  them  by  the  definition  of  an 
S-S  model  (Definition  5.1-1).  All  that  remains  is  to  show  that  every  job 
from  every  expansion  in  £  satisfies  the  seven  constraints.  The  first  of 
these,  the  Input/Output  Type  Constraint,  is  trivial;  the  second  one. 

Pointer  Transparency,  is  a  straightforward  special  case  which  will  not  be 
discussed  here  (the  proofs  that  these  two  constraints  are  satisfied  are  in 
Section  5.3.1  below). 

The  remaining  five  constraints  all  fit  one  of  three  patterns: 

(1)  The  values  of  the  output  entries  of  an  execution  e^  in  any 


i 
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computation  co  must  depend  on  the  value  of  an  input  entry  in  co.to 
another,  related  execution  e^. 

(2)  The  output  entries  of  one  execution  e^  must  be  unequal  to  the 
output  entries  of  another,  related  executipn  e 2  in  the  same  compu¬ 
tation  oo. 

(3)  The  values  of  the  output  entries  of  two  related  executions  e^  and 
e^  in  two  computations  co^  and  in  the  same  job  must  be  equal. 

In  all  of  these  cases,  the  qualifying  relationship  between  e^  and  e 2  is 
based  partially  on  the  actions  of  which  they  are  executions.  The  remain¬ 
der  of  the  relation  in  patterns  (1)  and  (2)  may  involve  the  concept  of 
reach:  a  constraint  of  type  (1)  applies  to  e^  and  e^  only  if  e^  is  in  the 
reach  R(e2)  in  co,  while  in  pattern  (2),  may  have  to  fall  in  no  reach. 
Those  constraints  fitting  pattern  (3)  combine  reach  with  the  equal-pointer 
relation  p:  the  constraints  apply  only  if  (a)  either  e^  and  e2  are  both  in 

no  reach  or  they  both  are  in  identical  sets  of  reaches,  and  (b)  letting 

p^  and  p2  be  the  pointer  inputs  to  e^  and  e2,  (p^,c0j)p(P2»“2^  • 

Every  computation  a  in  a  job  J  is  a  prefix  of  a  halted  computation 

which  is  a  permutation  of  a  canonical  computation  »€J.  The  approach  taken 

here  is  to  prove  first  that  the  constraints  are  satisfied  by  every  canon- 
ical  computation,  or  pair  of  canonical  computations,  as  appropriate,  in  J; 
this  step  makes  extensive  use  of  the  just-defined  heap  determined  by  a 
computation.  Then  it  is  shown  that,  for  any  two  computations  and  a2 
in  J,  there  are  two  canonical  computations  and  a>2  in  J  such  that  the 
pertinent  qualifying  relations  between  executions  in  and  a2  are  subsets 
of  (i.e.,  agree  with)  those  in  co^  and  co2»  respectively.  That  is: 
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A:  For  1-1,2,  for  any  execution  e^  initiated  in  a^,  e^  is  in  reach 
R(e2)  in  a±  iff  is  in  R(e2)  in  c^. 

B:  For  any  two  pointers  px  and  p2,  (p^c^)  p(p2,a2>  =>  (p.^^) p(p2,a>2)  . 

This  second  step  is  accomplished  with  the  aid  of  an  intermediate 
computation:  For  1-1,2,  is  a  prefix  of  a  halted  computation  p^  in  J; 
there  is  in  turn  a  canonical  computation  in  J  which  is  a  permutation 
of  p4  preserving  initiation  order  (and  hence  is  SOE-inclusive  of  p^  . 
Implication  A  holds  for  and  p^,  and  then  again  for  p^  and  by  two 
applications  of  Lemma  5.2-6.  Therefore,  the  major  sub-task  remaining  is 
to  show  that  is  a  prefix  of  p^  and  is  SOE-inclusive  of  p^  lead  to  B. 

The  third  and  final  phase  of  the  proof  is  to  show  that  A  and  B  imply 

that  the  constraints,  known  to  be  satisfied  by  and  co2,  must  hold  for 
and  a2<  This  is  a  simple  deduction,  which  may  be  summarized  thusly: 

Two  executions  e^  and  e2  are  related  in  a ^  and  a2  as  specified  in 
a  constraint 

=»  e^^  and  e2  are  so  related  in  and  co2  (by  A  and  B) 

=•  the  input/output  entries  of  e^  and  e2  in  and  co2  have  the 

dependency  dictated  by  the  constraint 
*»  the  input/output  entries  of  e^  and  e2  in  and  a2  have  the  same 
dependency  (because  every  entry  in  is  in  co^) . 

Therefore,  and  a2  satisfy  the  constraint. 

The  three  steps  in  the  proof  that  all  computations  in  a  job  satisfy 
the  last  five  constraints  may  be  found  in  Sections  5.3.2,  5.3.3,  and  5.3.4 
respectively.  In  all  of  the  proofs  remaining  in  this  chapter,  whenever 
a  program  P  is  given,  all  initiations,  access  histories,  etc.,  are  with 
respect  to  the  interpretation  Int(P). 
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5.3.1  Input/Output  Types  and  Pointer  Transparency 

It  is  simple  to  confirm  that  all  canonical  computations  from 
EE(L  ,S)  satisfy  the  first  constraint: 

DO 

Lemma  5.3-1  Let  S  be  any  initial  standard  state  for  any  L  program  P  and 

BS 

let  S2  be  any  halted  firing  sequence  starting  in  S.  Then,  given 
Int(P)  =  (ijt,/,IE),  r)(S,S2)  satisfies  the  Input/Output  Type  Constraint. 

I 

Proof : 

(1)  Let  a)  be  r)(5,S2).  Then  ai  is  a  computation  for  Int(P)  Lemma  4.3-2 

(2)  For  all  d  and  k,  d€{,'ID","IT","IF"}  =>  Ex(d,k)€IE  Def.  4.3-2 

(3)  For  all  d  and  k,  d€DL-{"ID","IT","IF"}  -  Ex(d,k)  has  no  output 

entries  in  gd  Def.  4.3-1+Alg.  4.3-1 

(4)  =>  /(d)  is  a  pi  action  Def.  5.1-2 

(5)  For  all  d  and  k,  d€DL  =>  the  input  and  output  entries  of  Ex(d,k) 

are  not  constrained  by  the  Input/Output  Type  Constraint 

(2)+(3)+(4)+Const.  5.1-1 

(6)  For  all  d,  k,  and  j,  dCSt-DL  =»  the  value  of  the  number-j  input  entry 

to  Ex(d,k)  in  co  is  equal  to  the  value  of  the  token  removed  from  d's 
number-j  input  arc  at  d’s  kth  firing  in  S2  Def.  4.3-2+Alg.  4.3-1 

(7)  For  all  d,  k,  and  i,  let  f  be  any  entry  such  that  T(f)  has  source 

Src(Ex(d,k)  ,i)  .  If  d€ST-DL,  then  there  is  a  prefix  Acp  of  £>  con¬ 
taining  exactly  k  firings  of  d  such  that  tokens  of  value  V(f) 
appear  on  the  number-i  output  arcs  of  d  at  the  transition  from 
S'  A  to  S'  Atp  Lemma  4.3-1 

(8)  =»  tokens  of  value  V(f)  are  placed  on  d's  number-i  output  arcs  at 

the  k^  firing  of  d 


Defs.  2. 1-5+2. 2-5 
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(9)  For  iiny  entry  f6>o,  f  it*  an  input  or  an  output  entry  of  Kx(d,k)  where 
d*St-DL  <tnd  /(d)  1m  not  «  structure  or  s  pi  action  *•  V ( f )  Is 
not  a  pointer  (6)+(7)+(8)+Def .  2.2-!) 

(10)  F  is  an  input  or  an  output  entry  of  Ex(d,k)  where  dtSt-I)l.  and  /(d) 

it*  a  structure  operation  -•  the  type  of  V(f)  depends  on  /(d)  and 
l  as  in  Table  2.2-1  (6)+(7)+Def .  2.2-5 

(11)  to  satisfies  the  Input/Output  Type  Constraint 

(5)+(9)+( 10)+Tahle  2 . 2-1+Const .  5.1-1 

A 

The  proof  of  the  Pointer  Transparency  Constraint  Is  conceptually 
simple  but  procedurnlly  difficult.  The  constraint  is  that  for  any  Job  J 
and  computation  u^t.T,  if  is  any  other  computation  which  Is  Identical  to 
to  within  pointer  values,  then  «)  is  in  J.  The  proof  may  be  outlined 
aa  follows: 

.1  is  .1K  for  some  equivalence  class  E  of  initial  states.  There  Is 

some  .*?j  ( E  and  some  halted  firing  sequence  starting  in  .'>j  such  that 

Is  a  prefix  of  some  computation  (1  In  .1,.  .  Construct  an  initial  state 

*’l  ,W1 

,T  ,  equal  to  .s’  ,  and  a  firing  sequence  sA,  equal  to  U. ,  such  that  .o_  will 

2  1  a  i  / 

be  a  prefix  of  some  computation  In  d(,  ,  .  Prove  that  !2_  is  a  halted 

*  ’  2  *  2  1 

firing  sequence  starting  In  •  Since  equals  ^ is  in  E,  so  Is 
in  JR. 

Proving  that  is  a  halted  firing  sequence  starting  in  and 
verifying  that  <o  is  a  prefix  of  |HJ(,  ,  both  require  the  following 

fact,  first  asserted  in  Section  2.4: 
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Theorem  5.3-1  For  any  two  equal  standard  states  S ^  and  for  the  same 
program  P,  and  any  two  equal  firing  sequences  2^  starting  in  5^  and  2^ 
starting  in  S^t  S2*22  equals  Furthermore,  if  I  is  the  mapping 

under  which  the  conditions  of  each  arc  b  in  P  match  in  and  S 2>  then  the 

mapping  under  which  the  conditions  of  b  in  5^*2^  and  match  is 

IU{(n^,n2)|  3k:  for  i*l,2,  is  the  node  in  the  Copy  firing  in  2^} 

Proof:  (The  lengthy  proof  of  this  intuitively-correct  notion  has  been 
deferred  to  Appendix  D.) 

A 

It  is  next  desired  to  use  this  result  to  prove  the  following:  For 
any  two  equal  states  S ^  and  S 2  and  any  two  equal  firing  sequences  2^  and 
S22 ,  if  ^  is  a  halted  firing  sequence  starting  in  5^,  then  22  is  a  halted 
firing  sequence  starting  in  S^.  Mere  equality  of  firing  sequences  says 
nothing,  however,  about  the  pointer-node  pairs  in  their  Copy  firings. 

While  there  is  much  arbitrariness  in  choosing  these  pairs,  it  is  not 
absolute:  22  is  a  valid  firing  sequence  starting  in  S ^  *  (T,U)  only  if 
each  pointer  or  node  in  a  pair  in  a  Copy  firing  in  22  appears  in  no  other 
pair  in  a  Copy  firing  or  in  17  in  U  (Lemma  5.2-1);  i.e.,  only  if  tie  multi¬ 
set  of  pointer-node  pairs  in  the  Copy  firings  in  22  is  consistent  with  U. 
With  this  added  qualification,  the  assertion  can  be  proven: 

Corollary  5.3-1  Let  be  any  standard  state  for  an  L^s  program  P,  and  ' 
let  2^  be  any  firing  sequence  starting  in  S Let  5^  be  any  standard 
state  equal  to  5^,  and  let  22  be  any  firing  sequence  equal  to  2^, .  Then 
A:  Each  actor  in  P  is  enabled  in  S,,  iff  it  is  enabled  in  5^. 


B:  If  the  multiset  AP  of  pointer-node  pairs  in  the  Copy  firings  in  2,, 
is  consistent  with  the  heap  in  52 »  then  &2  is  a  firing  sequence 
starting  in  £2>  an^  22  *8  halted  iff  2^  is  halted. 

Proof :  Of  A. 

* 

(1)  There  is  some  one-to-one  mapping  I  under  which,  for  each  are  b  in 

P,  Match«b,S2),  I,  (b ,S^))  Def.  2.4-3 

(2)  For  each  actor  d  in  P,  each  input  and  output  arc  of  d  has  a  token 

in  S2  iff  if  has  a  tQk®n  in  S ^  (1)+Def.  2.4-2 

(3)  Enabling  conditions  for  an  actor  depend  only  on  the  presence  or 

absence  of  tokens  on  the  actor's  input  and  output  arcs  Def.  2.1-4 

(4)  d  is  enabled  in  iff  d  is  enabled  in  (2)+(3) 

Prove  B  by  induction  on  the  length  of  2^. 

Basis:  |2^|  -  0. 

(5)  |22l  -  0  Def.  2.4-5 

(6)  22  i®  a  filing  sequence  starting  in  (5)+Def.  2.3-1 

Induction  step:  Assume  the  Corollary  is  true  for  any  2^  of  length  n, 
and  consider  2^  *  8jtp^  of  length  n+1,  in  which  the  last  firing  <p^  is  of 
the  actor  labelled  d  in  P. 

(7)  22  can  be  written  as  02(p2,  where  <p2  is  also  a  firing  of  d  and  ©2 

equals  0^  Def.  2.4-5 

(8)  02  is  a  firing  sequence  starting  in  lnd.  hyp. 

(9)  52*62  equals  (7)+(8)+Tha.  5.3-1 

(10)  d  is  enabled  in  5^*0^,  «o  d  is  enabled  in  S2‘02  (9)+A+Oef.  2.3-1 

(11)  d  is  not  a  Copy  operator  •  <j>2  ■  d  (7)+Def.  2.3-1 

(12)  »  02<p2  is  a  firing  sequence  starting  in  S 2  (8)+(10)+©ef .  2.3-1 
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(13)  If  d  is  a  Copy  operator,  then  <p^  ■  (d,(p,n)),  where  p  is  a  pointer 

and  n  is  a  node  (7)-H)ef.  2.3-1 

(14)  62^2  is  not  a  firing  sequence  starting  in  S 2  9  (p,n)  cannot  be 

added  to  IT  in  going  from  S2’&2  t0  ^2*®2<{>2  (10)+Def.  2.3-1 

(15)  =»  p€dom  U  or  n£N  in  $2  ® 2  Table  2.2-1 

(16)  =»  since  no  state  transition  ever  diminishes  n  or  N,  either  porn 

is  in  a  pair  either  in  17  in  S2  or  *n  some  Copy  firing  in  02 
(i.e.,  other  than  q^)  Table  2.2-1 

(17)  =»  AP  is  not  consistent  with  the  heap  in  S2  (13)+Def.  5.2-3 

(18)  02^2  *s  a  sequence  starting  in  S2  (11)+(12)+(14)+(17) 

So  it  is  proven  by  induction  that  2«  *-s  a  firing  sequence  starting  in  S2> 

(19)  S2'Q 2  equals  Thm.  5.3-1 

(20)  2^  is  not  halted  iff  there  is  an  actor  d  in  P  which  is  enabled  in 

5^*^  Def.  2.3-1 

(21)  iff  there  is  an  actor  d  enabled  in  (19)+A 

(22)  iff  ^2  is  not  halted  Def.  2.3-1 

A 

The  above  theorem  and  corollary  express  some  fundamental  properties 
of  the  equality  relations  between  states  and  between  firing  sequences. 
These  will  be  applied  several  times  in  the  remainder  of  the  thesis;  the 
first  such  application  is  in  the  verification  of  pointer  transparency, 
as  outlined  earlier: 

Lemma  5.3-2  Let  (Int.J)  be  any  expansion  from  EE(L„„,S).  Then  every  job 

.  „«  -  -  DO 

J€J  satisfies  the  Pointer  Transparency  Constraint. 


Proof:  Let  J  be  any  job  In  </,  and  let  be  any  computation  in  J.  Let 
a2  be  any  computation  such  that 
(1)  02  ■=* 

■'  (2)  There  is  a  total  one-to-one  mapping  Y  over  V  such  that  a.  can  be 

p  2 

derived  from  by  substituting  for  each  entry  ffa^  a  similar 
entry  vith  transfer  T(f ) ,  and  value  V(f),  if  that  is  not  a  pointer, 
or  Y(V(f))  otherwise  (1)+Def.  5.1-3 

(3)  (Int,J)  is  the  expansion  of  some  L^  program  P,  and  J  »  J£  for  some 

equivalence  class  E  of  initial  standard  states  for  P 

Defs.  4. 3-1+4. 3-2 

(4)  There  is  an  initial  standard  state  and  a  halted  firing  sequence 

$2  starting  in  S ^  such  that  is  a  prefix  of  some  ^  in 

Jc  0  (3)+Def .  4.3-3 

(5)  Let  S' ^  ”  (r^,U^)f  where  *  (N^n^SM^).  Let  be  such  that 

(p.niCTF^  iff  (Y(p)  ,n)  bet  U2  *  (N^^.SM^).  Then  since  equal¬ 

ity  of  components  does  not  concern  pointers,  for  any  nfN^, 

Uj.n  “  U^.n,  where  1  is  the  identity  mapping  Def .  2.4-1 

(6)  Let  r2  be  with  each  token  which  has  a  pointer  value,  p,  replaced 

with  a  token  of  value  Y(p).  Then  for  each  arc  b  in  P,  either  b  has 

no  token  in  both  and  ^ »  or  b  has  tokens  of  identical  non-pointer 

value  in  and  or  b  has  tokens  of  pointer  value  v^  and  V2 

in  and  r2»  where  ^(Vj)  -  ^(v^),  so  u2‘n2*V2*  -  ^ 

(7)  Let  Sj  ■  <r2,U2).  Then  for  each  arc  b  in  P, 

Match((b,S2).  I.  (b,5j))  (6)+Def.  2.4-2 

(8)  52  equals  .5^  ,  and  so  it  is  in  E 


(7)+(3)+Def .  2.4-3 
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(9)  Let  2^  be  2^  with  each  Copy  firing  (d,(p,n))  replaced  by  the  firing 
(d,  (Y(p)  ,n)) .  Then  22  ®«lual8  2^  Def.  2.4-5 

(10)  Let  AP  be  the  multiset  of  pointer-node  pairs  in  the  Copy  firings 

in  2^.  AP  is  not  consistent  with  the  heap  in  S 2  m  there  is  a  Copy 
firing  (d,(p,n))  in  &2  8ucb  cbat  either  p  or  n  is  in  a  pair  either 
in  dom  Tl^  or  in  some  preceding  firing  in  2^  (7)+(5)40ef.  5.2-3 

(11)  =*  there  is  a  prefix  0<p  of  2^  in  which  ip  is  a  Copy  firing  (d,(p',n)) 

and  [n  is  in  a  pair  in  dom  or  in  some  preceding  firing  in  &2 
=»  n  is  in  a  pair  in  dom  17^  or  in  a  firing  in  6]  and  [p  is  in  a 
pair  in  dom  or  in  some  preceding  firing  in  2^  •  Y  1(p)  -  p* 
(which  is  unique  since  Y  is  one-to-one)  is  in  a  pair  in  dom  17^ 
or  in  a  firing  in  8]  (9)+(5)+(2) 

(12)  •  letting  ^-8  be  (r'.U')  where  U'  -  (N'.n’.SM’),  either  p’fdom  n' 

or  n€N*  Def.  2.3-1 

(13)  =»  (p',n)  could  not  be  added  to  II  in  going  from  5^*0  to  5^*8(p 

Table  2.2-1 

(14)  *»  2^  is  not  a  firing  sequence  starting  in  (ll)+Def.  2.3-1 

(15)  AP  is  consistent  with  the  heap  in  52  (4)+(10)+(14) 

(16)  22  is  a  halted  firing  sequence  starting  in  5 2 

(4)+(8)+(9)+(10)+(15)+Cor.  5.3-1 

(17)  Let  6^  be  any  prefix  of  2^  and  let  62  be  the  prefix  of  22  of  the 

same  length.  Then  62  equals  6^  (9)+Def.  2.4-5 

(18)  ^2>d2  ®<*ual8  ^1*^1*  *°  for  **ch  arc  b  in  p» 

Match ( (b ,52 •  82) »  I,  (b,^^)),  and  I  is  the  identity  mapping 

(8)+(17)+(7)+(5)+(9)+Thm.  5.3-1+Def.  2.4-3 
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(19)  Let  b  be  any  arc  which  holds  a  token  in  Then  b  holds  a 

token  in  ^2*®2*  For  ^et  vi  be  t*'e  va*ue  °*  t^ie  t®!*®0  on 

b  in  S^*e^.  Then  is  non-pointer  =*  v2  “  v]_  (18)+Def.  2.4-2 

(20)  Assume  that  v^,  hence  v^,  are  pointers.  Let  the  heap  in  be 

U±  -  (Ni,ni,SMi),  for  i  -  1,2.  Then  l^.T^^)  - 

(18)+Def .  2.4-3 

(21)  n2(v2)  "  KlI^Vj))  -  n1(v1)  (20)+(21)+Def .  2.4-1 

(22)  vx  is  in  domrij  (19)+Thm.  2.2-1 

(23)  Vj  is  in  don  n  in  ^  a  v2  ■  Y(vj)  (4)+(21) 

(24)  is  not  in  dom  n  in  »  there  is  a  Copy  firing  in  0^  containing 

the  ordered  pair  (v^Jl^(v^))  (22)+Def.  2.3-1 

(25)  «.  there  is  a  Copy  firing  in  02  containing  (Y(v^)  ,11^^  (v1) ) ,  which 

equals  (Y(v^) ,n2(v2))  (9)+(17)+(21) 

(26)  Since  n2(v2)  ls  in  at  “osf  on®  P®ir  *n  that  Copy  *lring  contains 

the  pair  (15)+Defs.  5. 2-3+2. 3-1 

(27)  v^  is  not  in  dom  n  in  ^  »  v2  ■  Y(v^)  (24)+(25)+(26) 

(28)  is  a  pointer  =»  v2  ■  Y(v^)  (23)+(27) 

(29)  For  any  m,  and  for  1*1,2,  let  A^  be  the  length-m  prefix  of 

Then  (p^  and  <p2  are  firings  of  the  same  actor  d  and  |  |  "  |  A2 1 . 

Then  if  d  is  a  merge  gate,  its  control  input  arc  holds  tokens  of 
the  same  value  inS'^'A^  and  S2*a2  (17)+(19) 

(30)  <p^  and  (p2  remove  tokens  from  the  same  set  of  arcs 

(29)+Defs.  2. 1-5+2. 2-5 

(31)  The  token  on  b  in  0X  was  on  b  in  Sj  iff  there  was  a  token  on  b 

in  S1  and  there  is  no  prefix  Aj^  of  0j^  in  which  q>^  removes  a  token 
from  b  iff  there  ls  a  token  on  b  in  $2  and  there  is  no  prefix  A24>2 
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of  9„  in  which  <p  removes  a  token  from  b  iff  the  token  on  b  in 
2  2 

^2®2  was  on  ^  $ 2  (29)+(30)+Defs.  2. 4-3+2. 4-2 

(32)  For  each  actor  d',  there  are  n'  firings  of  d'  in  0^  iff  there  are 

n'  firings  of  d*  in  @2  (17)+Def.  2.4-5 

(33)  Source(b,S2,02)  *  Source  (b,-S^,ep  (31)+(32)+Alg.  4.3-1 

(34)  There  is  an  entry  f  in  oi^.^)  with  V(f)  *  and  transfer 

T(f )  *  (s,Dst(Ex(d,k) , j))  iff  there  is  a  prefix  of  2^  in  which 

(p^  is  the  kCl1  firing  of  the  actor  labelled  d,  that  firing  removes 
a  token  of  value  v^  from  d's  number-j  input  arc  b,  and 
s  ■  Source (b, 5^,0^)  Alg.  4.3-1 

(35)  iff  there  is  a  prefix  02(p2  of  t*ie  same  len8th  as  0]^) 

which  <p2  is  the  k^  firing  of  d  (9) 

(36)  and  that  firing  removes  a  token  from  b  (29)+(30) 

(37)  and  that  token  has  value  v2  where 

/  v^  if  v^  is  not  a  pointer 

y  ■  | 

^  (  Y(v^)  otherwise  (17)+(19)+(28) 

(38)  and  s  *  Source (b, ©2)  (17)+(33) 

(39)  iff  there  is  an  entry  g  in  (o(S2>22)  with  V(g)  *  v2  and  T(g)  *  T(f) 

Alg.  4.3-1 

(40)  There  is  an  entry  f  in  ^(5^,2^)  with  V(f)  -  v^  and  transfer 

T(f)  »  (8,Dst(Ex(d,k) ,j))  iff  there  is  such  an  entry  in  coOSj^) 
or  there  is  an  arc  b  in  P  which  holds  a  token  in  <S^*2^  va^ue  vj» 

d,  k,  and  j  are  related  to  b  as  in  Alg.  4.3-1,  and 
s  ■  Source(b,S^,2^)  Alg.  4.3-1 

(41)  iff  there  is  such  an  entry  in  w(5-,2-)  or  there  is  an  arc  b  which 
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holds  In  £>2  ’&2  a  token  of  value  V2  where 
|  v^  if  v^  is  non-pointer 

2  I  Y(v1)  otherwise  (34)+(38)+(17)+(9)+(19)+(28) 

(42)  and  d,  k,  and  j  are  related  to  b  as  in  Alg.  4.3-1  and 

s  -  Source(b,S2,a2)  (17)+(9)+(33) 

(43)  iff  there  is  an  entry  g  in  t)(£2,22)  w*th  v(g)  ■  v2  and  T(g)  *  T(f) 

Alg.  4.3-1 

(44)  p^  is  a  permutation  of  rj(5^,2^)  which  is  causal  wrt  lnt(P),  and 

^(Pj^)  is  the  reduction  of  (4)+0ef.  4.3-5 

(45)  There  is  a  permutation  p2  of  which  can  be  derived  from  p^ 

by  replacing  each  entry  f  in  p^  with  an  entry  g  such  that 

T(g)  -  T(f )  and  V(g)  is  V(f),  if  that  is  not  a  pointer,  or  Y(V(f)) 

otherwise  (44)+(40)+(43) 

(46)  The  prefix  of  p2  of  length  |<ijJ  is  a2  (45)+(2)+(4) 

(47)  Let  f  be  any  entry  in  p^,  and  let  g  be  the  entry  in  p2  with 

T(g)  “  T(f) .  Then  f  is  the  Initiating  entry  wrt  Int(P)  of  an 
execution  e  iff  g  is  (45)-H>ef.  4.2-6 

(48)  $(p2)  -  #»(p1)  (47)+Def .  4.3-4 

(49)  <t>(p2)  is  the  reduction  of  2^,  which  is  the  reduction  of  22 

(48)+(44)+(9)+Def.  2.4-5 

(50)  Let  Y28  be  any  prefix  of  P2<  Then  g  is  an  output  entry  of  e  •  for 

the  same-length  prefix  y^f  of  p^,  f  Is  an  output  entry  of  e 

(45)+Def.  4.2-5 

(51)  «*  e’s  initiating  entry  wrt  Int(P)  is  in  (44)+Def .  4.2-7 

(52)  «•  e’s  initiating  entry  is  in  y2 


(47) 
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(53)  Pj  is  causal  with  respect  to  Int(P)  (50)+(52)+Oef .  5.2-7 

(54)  Let  y^g  he  any  prefix  of  p2,  and  let  0 2  be  the  prefix  of  $2  whose 

reduction  Is  $(y2).  Let  y^f  be  the  same-length  prefix  of  2^. 

Then  T(f)  -  T(g)  and  $(Yl)  -  $(y2>  (45)+(47)+Def .  4.3-4 

(55)  Let  0^  be  the  prefix  of  2^  whose  reduction  Is  #>(y^)  •  Then  0^  equals 

02  and  |e2|  “  |01|  (54)+Def .  2.4-5 

(56)  T(g)  has  destination  Dst(Ex(d,k) ,j)  and  dfDL  =»  T(f)  has  the  same 

destination  and  d^OL  =  d  is  enabled  in  5^*0^  and  if  d  Is  a  merge 
gate  and  its  number-j  input  arc  b  is  its  T  (F)  input  arc,  then  d's 
control  input  arc  has  a  true  (false)  token  in  S^‘0^ 

(54)+(55)+(4)+Def .  2.4-5 

(57)  «*  d  is  enabled  in  ^2*32  an<*  is  a  “Ctge  gate  and  b  is  its  T  (F) 

input  arc,  then  its  control  input  arc  holds  a  true  (false)  token 
in  S2-e2  (8)+(55)+(29)+Cor.  5.3-1 

(58)  For  any  firing  sequence  A2  starting  in  ^2^2*  *t  *8  possible  to 

change  the  pointer-node  pairs  in  the  Copy  firings  in  A2  to  derive 
an  equal  firing  sequence  which  is  consistent  with  the  heap  in 
Sl’Q1  Defs.  2. 4-5+5. 2-3 

(59)  For  any  firing  sequence  A2  starting  in  S2’02,  there  is  an  equal 

firing  sequence  A^  starting  in  5^*0^  (58)4Cor.  5.3-1 

(60)  T(g)  has  destination  Dst(Ex(d,k) ,j) ,  d€DL  and  d-(c,n)  *•  T(f)  has 

the  same  destination  =»  letting  b  be  the  number-n  program  output 
arc  of  P,  if  c  -  "0D",  or  else  the  number-n  input  arc  of  c, 
there  is  a  token  on  b  in  5^*0^  and  if  c  is  an  actor  label,  there 
is  no  firing  sequence  starting  in  S^‘9^  which  contains  a  firing 
of  c  (54)+(55)+(4)+Def .  4.3-5 


(61)  -  there  Is  a  token  on  b  In  ^2*^2  anc*  c  18  an  actor  label,  there 

is  no  firing  sequence  starting  in  *02  which  contains  a  firing 
of  c  (55)+(17)+(19)+(59)+Def.  2.4-5 

(62)  R-  is  in  J„  „  (45)+(49)+(53)+(54)+(56)+(57)+(60)+(61)+Def.  2.4-5 

52,a2 

(63)  a2  is  ^  J  (8)+(16)+(62)+(46) 

A 

This  essentially  completes  the  confirmation  that  the  first  two  S-S 
constraints  are  satisfied  in  EE(Lgg,S).  The  next  subsection  commences 
the  proof  for  the  final  five  constraints. 

5.3.2  Canonical  Computations 

The  purpose  here  is  to  demonstrate  that  the  remaining  constraints 
are  satisfied  by  any  canonical  computation  or  pair  of  canonical  compu¬ 
tations  in  a  job;  this  is  the  first  step  in  proving  that  they  are 
satisfied  by  any  computations. 

The  Atomic  Output  and  Structure  Output  Constraints  concern  the  output 
entries  of  an  execution  e^  which  is  in  the  reach  of  another  execution  e^. 
The  proof,  an  eloquent  testimonial  to  the  utility  of  the  definition  of  the 
heap  determined  by  a  computation,  has  already  been  outlined  at  the  start 
of  Section  5.2. 

Lemma  5.3-3  Let  S  be  any  initial  standard  state  for  an  L^g  program  P,  and 
let  Q  be  any  halted  firing  sequence  starting  in  5.  Then  t)(5,q)  satisifes 
the  Atomic  Output  Constraint  and  the  Structure  Output  Constraint  (given 
lnt(F)) . 


Proof 
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(1)  Let  to  •  "H (5,2)  and  let  f  be  any  entry  in  co  such  that  T(f)  has 

source  Src(e,i)  for  any  Fetch,  Assign,  Select,  Update,  or  Delete 
execution  e  -  Ex(d,k)  and  any  i.  Let  Int(P)  be  (St,/, IE).  Then 
dfSt-DL  Defs.  4. 3-2+4. 3-1 

(2)  There  is  a  prefix  0<p  of  £  containing  exactly  k  firings  of  d  such 

that  tokens  of  value  V(f)  appear  on  the  number-1  group  of  output 
arcs  of  d  at  the  transition  from  S‘Q  to  S'0<p  (1)+Lemma  4.3-1 

(3)  (p  must  be  the  kC^  firing  of  d  in  £2  (2)+Defs.  2. 1-5+2. 2-5 

(4)  Let  the  heap  in  S’Q  be  (N,TT,SM).  Let  a  be  r)(£',0)  and  let  NAR  be 

the  node  activation  record  derived  from  6  and  a.  Then  the  heap 
determined  by  a  from  the  heap  in  S  and  NAR,  (N^  I^Ta,SMa>,  18 
defined  and  is  identical  to  (N,fI,SM)  Thm.  5.2-1 

(5)  Let  p  be  r)(S,9(p),  let  p  be  the  value  of  the  number-1  input  to  cp, 

and  let  n  *  IT(p).  Then  g  *  Entp(e,l)  is  in  p  but  not  in  a,  V(g) 
is  p,  and  there  are  m  input  entries  to  e  in  p,  where  m  tokens  are 

removed  by  <p  (3)+(l)+Alg.  4.3-1 

(6)  V(g)  ■  p  is  a  pointer  (5)+(l)+Def.  2.2-5 

(7)  m  =  In(/(d)),  so  e  is  initiated  in  p  (5)+Defs.  4 . 3-2+4 . 3-1+4 . 2-6 

(8)  p  is  a  prefix  of  co,  as  is  a  (5)+(2)+Alg.  4.3-1 

(9)  p  and  to  are  both  causal  computations  for  Int(P)  Lemma  4.3-2 

(10)  For  any  pointer  q,  q  is  the  value  of  the  output  entries  in  “  of  a 

Copy  execution  C  =»  the  first  entry  in  co  with  value  q  is  an  output 
entry  of  C  Lemma  5.2-3 


(11)  For  any  Assign,  Update,  or  Delete  execution  e',  efR(e')  in  co  • 

e€R(e’)  in  P  (7)-(10)+Lemma  5.2-6 
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(12)  a  g  is  In  duration  D(e')  in  {3  (5)+Defs.  5. 1-6+5. 1-8 

(13)  »»  D(e')  extends  to  the  end  of  Ha  (2)+(4)+(5)+(6)+Lemma  5.2-7 

P 

(14)  pldom  n  ■  dom  n  (5)+Thm.  2.2-1 

a 

(15)  efR(A)  for  Assign  execution  A  =>  D(A)  extends  to  the  end  of  Ha 

P 

(11)+(13) 

(16)  =.  the  value  in  SM  (n)  -  SM(n)  is  v  -  V(Ent  (A, 2)) (14)+(4)+Def .  5.2-7 

a  a 

(17)  =»  if  (p  is  a  Fetch  firing  a  i  *  1,  then  the  value  placed  on  the 

number-i  group  of  output  arcs  of  d  by  (j  is  v  (2)-(5)+Table  2.2-1 

(18)  =»  if  e  a  Fetch  execution  a  i  ■  1,  then  V(f)  *  v  (l)+(2)+(3) 

(19)  e£R(A)  for  Assign  execution  A,  i  -  2,  and  cp  is  a  Fetch  or  Assign 

firing  =>  the  value  placed  on  the  number-1  group  of  output  arcs  of 
d  by  cp  is  the  value  of  the  predicate  (v^nil) 

(15)+(16)+(2)-(5)+Table  2.2-1 

(20)  aeisa  Fetch  or  Assign  execution,  i  ■  2,  and  V(f)  ■  (vjtnil) 

(l)+(2)+(3) 

(21)  co  satisfies  the  Atomic  Output  Constraint 

(l)+(16)+(18)+(20)+Def .  4.2-6+Table  2.2-1 

(22)  Assume  e  is  a  Select,  Update,  or  Delete  execution.  Then  cp  is  a 

Select,  Update,  or  Delete  firing,  and  the  selector  input  s  to  cp 
equals  V(Entw(e,2))  (l)+(3)+Alg.  4.3-1 

(23)  e€R(D)  for  Delete  execution  D  *»  V(Ent  (D,2))  »  s  (22)+Def .  5.1-8 

co 

(24)  •  there  is  no  ordered  pair  containing  s  in  SM(n) 

(ll)+(13)+(14)+(4)+Def .  5.2-7 

(25)  •  if  e  is  a  Select  execution  A  i  ■  1,  then  V(f)  »  undef ,  and  if 

i  -  2,  then  V(f)  -  false  (l)-(5)+Table  2.2-1 


a. . — 
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(26)  e€R(U)  for  Update  execution  U  =*  the  ordered  pair  (s,l"I(r))  is  in 

SM(n),  where  r  -  V(Ent  (U,3)) 

a 

(22)+(ll)+(13)+(14)+(4)+Defs.  5. 1-8+5. 2-7 

(27)  =»  if  e  is  a  Select  execution  a  i  =  1,  then  V(f)  =  V(Ent  (U,3)), 

£0 

and  if  i  -  2,  then  V(f)  =  true  (l)-(5)+(8)+Table  2.2-1 

(28)  co  satisfies  the  Structure  Output  Constraint 

(l)+(23)+(25)+(26)+(27)+Def.  4.2-6+Const.  5.1-4 

A 

Not  every  execution  in  a  computation  falls  into  a  reach;  further¬ 
more,  even  if  a  First  or  Next  execution  e  does  fall  into  one  or  more 
reaches,  these  do  not  completely  determine  the  set  of  selectors  upon  which 
e's  output  entries  depend.  Under  a  certain  condition,  however,  the  output 
entries  of  two  such  executions  e^  and  e 2  must  have  the  same  value  in  two 
computations  and  co^  in  the  same  job:  if  the  pointer  inputs  p^  and  p2 
to  e^  and  e^  are  such  that 
in  the  Initial  Structure  and  the  First/Next  Output  Constraints. 

The  proof  that  any  pair  of  canonical  computations  and  co2  in  a 
job  satisfies  these  two  constraints  proceeds  along  the  following  lines: 

1.  For  i=l,2,  *  r)(5i,2i),  where  S ^  and  are  two  initial  states 

which  are  equal  under  some  mapping  I. 

2.  The  output  entries  of  e^  can  be  related  to  the  content  of  a  partic¬ 

ular  node  in  the  heap  *  (N^,n^,SM^)  in  S The  relationship  is 
derived  from  the  heap  determined  by  from  U^,  by  applying  reason¬ 
ing  similar  to  that  just  used  in  Lemma  5.3-3.  The  particular  node 
in  N^  is  ^^(q^),  where  q^  is  the  unique  pointer  in  dom  such  that 
DD^  (Lemma  5.3-4  below). 


^P1,CJ1^P^P2’W2^  ’  T*,is  assertion  is  expressed 
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3.  (Pl.«'1)(.'(p2,.o2)  «  (**1  •“'1) p(«l2 »‘°2^  ~  ql  *n<1  q2  pwlnt  to 
components  (under  t)  of  ll,  end  U  ;  thue  the  contents  of  ll^(qj)  and 

1 1 2 ( *1 2 ^  *'av*  identical  valuea  and  eelector  seta  (Theorem  S .  1—2) . 

4.  The  non-pointer  output  entries  of  Sj  and  e^  are  identical 
(Lemma  5.3-5). 

Lemma  5.3-4  Let  be  any  initial  atate  for  an  t.  program  P,  and  let  the 
heap  in  *>  be  (N,U,SM).  Let  be  any  firing  sequence  atari  ing  in  let 
be  ,,(,*.«).  and  let  e  be  any  execution  of  any  structure  operator  (except 
Copy).  Let  p  be  V(Ent(e,l)),  let  q  be  the  unique  pointer  in  dom  n  such 

that  DO  (q.p),  and  let  n  •  11  (q) .  Titan  the  conclusions  depleted  In 

10 

Table  5.3-1  can  be  drawn  about  the  valueM  of  e'a  output  entries  in  ,o. 

Pj.au I :  (The  reasoning  here  la  ao  almilar  to  that  in  Lemma  5.3-3  that  the 
proof  has  been  removed  to  Appendix  D.) 

Theorem  5. 3-2  Let  and  i*2  be  any  rwo  equal  initial  standard  states  for 

the  same  1.  program  P.  Let  t  be  the  elngle  one-to-one  mapping  under 
BN 

which  the  conditions  in  and  .‘>2  of  each  arc  in  P  match.  For  1-1,2,  let 
the  heap  in  be  l>^  -  (N^  ,11^  ,SMjl ,  let  be  any  firing  sequence  starting 
In  .‘?j,  and  let  .Oj  be  n(.*Jj,ldj)  •  l<«t  p  be  the  equal  pointer  relation  defined 
from  lnt(P).  Assuming  that  <o^  and  <0^  are  both  computations  for  lnt(P), 
for  any  two  pointers  p^  and  p2, 

At  (Pj.a'jMPj.*^)  ■*  wh*r*»  for  i*i.2.  qA  is  the 

unique  pointer  in  dom  tl.  auch  that  DD  (q.,p.). 

1  Wj  l  l 

Bt  p  fdom  II j ,  pjfdom  flj,  and  (p^.Mjh'iPjPOg)  - 


If  e  is  a  Fetch  or  Assign  execution  and  is  not  in  a  reach,  then  the 
value  of  Src(e,i)  is  given  below,  where  v  is  the  value  in  SM(n) . 


Fetch 


Assign 


i  -  2 
vfriil 
v*nil 


If  e  is  a  Select,  Update,  or  Delete  execution  and  is  not  in  a  reach 

then  the  value  of  Src(e,i)  is  given  below,  where  s  ■  V(Ent  (e,2)). 

oo 

If  there  is  an  r  such  that  (s,n(r)) €SM(n) : 


i  -  2 
true 
true 


Select 


Update/Delete 


i  -  1 
undef 
0 


1-2 

false 

false 


If  e  is  a  First  execution  or  a  Next  execution  with  selector  input  s 
then  the  value  of  Src(e,i)  depends  just  on  s  and  the  set  S  of 
selectors  defined  by: 

S  ■  (Sa-Sb)USc,  where 

Sa  •  {s €Z ]  3m:  (s,m)€SM(n) }, 

Sb  -  {s€Z |  3Delete  D:  eCR(D)  in  u  and  s  -  V(Entu(D,2)) }, 

and  Sc  ■  {a €Z |  BUpdate  U:  e€R(U)  in  co  and  s  “  V(Ent  (U,2))} 

(0 

Outputs  of  an  Execution  which  is  Not  in  a  Reach 


Table  5.3-1 
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1.  There  is  en  ere  of  P  which,  for  1*1,2,  holds  a  pointer  r^  in  S ^ 
such  that  n^p^)  equals  or  is  reachable  from  n^r^)  in  U^. 

2.  n^Pj)  “  KTTj^Cpj)) 

3.  sM2(n2(p2))  -  i(SM1(n1(p1))) 

Proof : 

(1)  Let  lnt(P)  -  (ST,/, IE).  Then  (px  .a^)  p(p2  ,a>2)  - 

(la)  There  is  a  source  s  -  Src(e,i)  for  some  e€lE  and  some  i  such  that 

P1  ^P2^  is  t*>e  va*ue  °*  8  *n  ui  *  °r 

(lb)  There  are  Select  executions  and  S2  such  that 

p^  is  the  value  of  Src^^.l)  in  i»l,2, 
does  not  fall  into  a  reach  in  co^,  1*1,2, 

V(Ent  (Sj.,2))  -  V(Entu  (S2,2)),  and 
(V(Enta^(S1,l)),«1)p(V(Entco  (S2,l))  ,a>2)  ,  or 

(lc)  Bq^Pj^  such  that  DD^  (q.p^  and  (q,co^)p(p2,a>2)  Def.  5.1-10 

Proof  is  by  induction  on  the  smallest  number  n  of  recursive  applications 
of  the  above  three  rules  required  to  derive  that  (p1,o)^)p(p2,o>2) .  Induc¬ 
tion  hypotheses  are  A  with  the  addition  of  "The  shortest  derivation  of 
(q^.ooj) p(q2,«2)  has  no  more  steps  than  the  shortest  derivation  of 
(p1,a31)p(p2,w2) ,"  and  B. 

(2)  (la)  is  true  of  Pj  and  p2  «  there  is  a  one-step  derivation,  so  n-1 

(3)  The  last  step  in  the  shortest  derivation  Is  an  application  of  (lb) 

or  (lc)  »  there  is  a  pair  of  pointers  q^  and  q2>  not  the  same  as  p^ 
and  p2»  such  that  it  has  been  derived  that  (q1,»1)p(q2,co2) 

(A)  *  there  is  at  least  one  additional  step  in  the  derivation,  so  n  >  1 


Basis:  n-1 
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(l)+(3)+(4) 
(5)+(la)+Def .  4.3-2 


w 


(5)  (la)  Is  true  of  and  p2 

(6)  e€{Ex(ID,0),  Ex(IT,0),  Ex(IF,0)} 

(7)  There  Is  a  pointer  of  value  p^  (p^)  on  the  number-i  program  input 

arc  of  P  in  5X  <S2>  (6)+Alg.  4.3-1 

(8)  There  is  an  arc  b  in  P  which  has  a  token  of  value  p^  (p^)  in  5^ 

(Sj  and  p.fdomn  (p,€dom  n  )  (7)+Def.  2.2-6 

4  1  1  4  2 

(9)  For  i*l,2,  p^  “  q^,  the  unique  pointer  in  dom  n  such  that 

DDco  (qi,pi)  (8)+Def .  5.1-9 

(10)  (qx  ,&>^)p(q2,co2)  ,  and  the  shortest  derivation  of  this  has  no  more 

steps  than  the  shortest  derivation  of  (Pj,f'>^)P(P2«c°2^  (l)+(9) 

(11)  Match((b,51),  I,  (b,S2))  (8)+Def.  2.4-3 

(12)  U2.n2(p2)  l  U1.ni(p1)  (8)+(ll)+Def .  2.4-2 

(13)  n2(p2)  -  I(ni(p1))  and  SM2(n2(p2))  -  l(SM1(ni(p1)))  (12)-H)ef.  2.4-1 

Induction  step:  Assume  that  the  induction  hypotheses  are  true  for  any 

p^  and  p2  if  the  shortest  derivation  of  (p^iC»^)p(p2>co2)  has  n  or  fewer 
steps,  n  >  0.  Consider 

(14)  and  p2  for  which  the  shortest  derivation  has  nfl  steps 

(15)  Either  (lb)  or  (lc)  is  applied  as  the  last  step  (l)+(2) 

(16)  (lb)  is  the  last  step;  i.e.,  is  true  of  p^  and  p2  *»  since  is  not 

in  a  reach  in  u^,  letting  p^  be  V(Entu  (S^l))  and  s  be 

V^nt^  (S1,2)),  the  pair  (sJI^pj))  is  in  SMi(ni(q|))  where  q^  is 

the  unique  pointer  in  dom  such  that  DD^  (lb)+Lemma  5.3-4 

(17)  »  p^fdom  n£  Defs.  2. 2-6+2. 2-1 

(18)  “  (q^,ai^)p(q2,co2)  and  the  shortest  derivation  of  this  has  the  same 

number  of  steps  as  the  shortest  derivation  of  (p^,co2)p(p2,co2) 

(8)-(10) 
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(19)  (lc)  is  the  last  step  ■»  Bp'^:  DD  (p£,pp  and  (p^op p(p2,ap  ~ 

the  shortest  derivation  of  (Pp“p p(p2,a>2)  ^as  n  8teP8  (14) 

(20)  •  p(q2,w2)  *  w*iere  9*  *8  c^e  unique  pointer  in  dom  17^  such 

that  DD^(q^,Pj)  and  DD^  (q2tP2),  and  the  shortest  derivation  of 
this  has  no  more  than  n  steps  lnd.  hyp.  A 

(21)  *»  DD^  (q^p  (19)+Def .  5.1-9 

(22)  =»  (9i>apP(<l2»a>2)  *  w^ere  9^  *8  the  unique  pointer  in  dom  IT^  such 

that  DD^  (q^,p^),  and  the  shortest  derivation  of  this  has  no  more 
steps  than  the  shortest  derivation  of  (p^cpp^.cip  (20)+(14) 

(23)  A  for  P;l  and  p2  (15)+(16)+(18)+(19)+(22) 

(24)  (lc)  is  true  of  p^  and  p2  **  Bp^/p^  DD^  (p£,pp  “  Pj^  is  the  value 

of  the  output  entries  of  a  Copy  execution  in  Def.  5.1-9 

(25)  «  ppdom  =»  B  is  vacuously  true  Lemma  5.2-3 

(26)  (lb)  is  the  last  step  applied  •  letting  p^  be  V(Ent^  (S^,l))  and  s 

be  V(Entw  (S^.2)),  the  pair  (s,IIi(pi))  is  in  SM^ffipqp),  where 
q^  is  the  unique  pointer  in  dom  II ^  such  that  DD^  (q£  ,pp  and 
<Pp  »mp  P(P2  »®2)  (16)+(lb) 

(27)  -  the  shortest  derivation  of  (p^app^.ap  consists  of  an  appli¬ 

cation  of  (lb)  following  the  shortest  derivation  of 
(pP®pp(P2»w2^  *  which  1,88  n  8t*P8  (1)+(14) 

(28)  <=»  (qpco^)P(q2><02)  and  the  shortest  derivation  of  this  contains  no 

more  steps  than  the  shortest  derivation  of  (ppupp(p2,u>2) 

(26)+lnd.  hyp.  A 

(29)  »  the  shortest  derivation  of  (q^cpp^.cip  has  n  or  fewer  steps 

(27) 

(30)  •  SM2(TI2(qp)  ■  I(SM1(IT1(qp)) ,  and  there  is  an  arc  of  P  which  holds 
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(31) 

(32) 

(33) 

(34) 

(35) 

(36) 


a  pointer  In  5^  such  that  n^(q|)  equals  or  is  reachable  from 
n^(r^)  In  Ut  (26)+ind.  hyp.  B 

-  Since  (s,ni<Pi))  €SMjL(ni(q')) ,  n2(p2)  -  I(n1(p1))  and  ni(pi)  is  a 
successor  of  Il^qp  (26)+Defs.  2. 4-1+2. 2-2 

a  u2.n2(r2)  i  u1.n1(r1) 


fMpj)  is  reachable  from  ^(r^) 


Defs.  2. 4-3+2. 4-2 
(30)+Def.  2.2-2 

=»  SM2(I(ni(p1)))  -  I(SM1(ni(p1)))  (32)+Def .  2.4-1 
*  sM2(n2(p2))  -  i(SM1(n1(p1)))  (3i) 
B  for  Pl  and  p2  (15)+(24)+(25)+(26)+(30)+(31)+(35) 


Lemma  5.3-5  For  any  LgS  program  Pt  let  S ^  and  S ^  be  any  two  equal  initial 
standard  states  for  P.  For  i*l,2,  let  ^  be  any  halted  firing  sequence 
starting  in  S±  and  let  «  ^(S^.&j).  Then,  given  Int(P),  the  pair 
consisting  of  co^  and  «2  satisfies  the  Initial  Structure  Constraint  and 
the  First/Next  Output  Constraint. 


Proof:  (The  proof  of  this  is  simply  a  detailed  expansion  of  the  outline 
given  on  page  259,  and  so  has  been  deferred  to  Appendix  D.) 

A 

The  final  constraint  is  the  Unique  Pointer  Generation  Constraint. 
Briefly,  this  states  that  the  pointer  output  of  a  Copy  execution  in  a 
computation  co  must  be  different  from  the  pointer  output  of  any  input 
execution  (that  is,  one  in  IE),  any  other  Copy  execution,  and  any  Select 
execution  which  does  not  fall  into  a  reach  in  co. 


Lemma  5.3-6  For  any  Initial  standard  state  S  for  any  L^g  program  P,  and 
for  any  halted  firing  sequence  Q  starting  in  5,  r)(S,&)  satisfies  the 
Unique  Pointer  Generation  Constraint. 
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Proof ; 

(1)  Let  oo  -  r)(£,  8) .  Then  m  is  a  computation  for  Int(P)  “  (St,/, IE) 

Lemma  4.3-2 

(2)  Let  p  be  the  value  in  co  of  the  output  entries  of  any  Copy  execution 

C.  Let  the  heap  in  5  be  (N,n,SM).  Then  p^dom  II  and  no  other 
Copy  execution  has  output  entries  in  co  of  value  p  (1)+Lemma  5.2-3 

(3)  For  any  pointer  p',  p'  is  the  value  of  the  output  entries  of  any 

execution  e(IE  =»  e€{Ex(ID,0) ,Ex(IT,0) ,Ex(IF,0) }  (1)+Def.  4.3-2 

(4)  =»  p'  is  on  an  arc  of  p  in  S  Alg.  4.3-1 

(5)  ■»  p*  is  in  dom  n  =»  p'*P  (2)+Def.  2.2-6 

(6)  For  any  pointer  p' ,  p'  is  the  value  of  the  output  entries  in  co  of  a 

Select  execution  S  which  does  not  fall  into  a  reach  =»  (s,n(p')) 
is  in  SMffKq))  for  some  qfdom  n  (2)+(l)+Lemma  5.3-4 

(7)  «.  n(p’)(N  =  p' (dom  II  »  pVp  (2)+Def.  2.2-1 

(8)  co  satisfies  the  Unique  Pointer  Generation  Constraint 

(2)+(3)+(5)+(6)+(7)+Const.  5.1-7 

A 

5.3.3  The  Qualifying  Relationships 

This  subsection  provides  the  results  necessary  to  complete  the  second 
step  of  the  proof  that  all  computations  in  a  job  satisfy  the  final  five 
constraints.  Recalling  the  comprehensive  outline  provided  at  the  start  of 
Section  5.3,  the  goal  here  is  to  prove  that  for  any  two  computations  and 
aj  in  a  job  J,  there  are  canonical  computations  co^  and  ^  in  J  such  that: 

A:  For  1*1,2 ,  for  any  execution  e^  initiated  in  a^,  e^  is  in  R^)  in 
iff  Sj  is  in  Rtej)  in  co^. 

1:  For  any  two  pointers  Pj^  and  p2»  (p^d^pCpj*^)  •  * 
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For  i*l,2,  the  appropriate  is  found  from  as  follows:  Every  a  is  a 
prefix  of  some  p  in  J  ,  where  S  is  an  initial  standard  state  and  2  is 
a  halted  firing  sequence  starting  in  5;  in  turn  p  is  a  permutation  of 
co  *  ri^.a) . 

A  follows  from  two  invocations  of  an  earlier,  general  result  relating 
reaches  in  a  pair  of  computations  (Lemma  5.2-6).  Two  requirements  must  be 
met  by  any  pair  y  and  6  before  this  result  can  be  applied  to  them.  First 
is  that  either  y  is  a  prefix  of  6  or  6  is  SOE-inclusive  of  y.  The  p^ 
selected  above  has  as  a  prefix,  and  it  is  easily  confirmed  that  co^  is 
SOE-inclusive  of  p^  (Lemma  5.3-7  below).  The  second  requirement  is  that 
For  every  pointer  p,  p  is  the  value  in  6  of  the  output  entries  of  a 
Copy  execution  C  =»  the  first  entry  in  6  with  value  p  is  an  output 
entry  of  C. 

This  has  already  been  established  for  all  canonical  computations  6,  such 
as  a)^  (Lemma  5.2-3).  It  is  here  proven  for  6  ■  p^  by  an  indirect,  two- 
step  process.  First  it  is  shown  to-be  true  for  any  causal  computation 
which  satisfies  the  Input/Output  Type,  Structure  Output,  and  Unique 
Pointer  Generation  Constraints  (Lemma  5.3-8).  Then  it  is  shown  that, 
since  is  known  to  satisfy  these  constraints,  any  computation  of  which 
it  is  SOE-inclusive,  including  p^,  must  satisfy  them  as  well  (Lemma  5.3-9). 
(The  reason  for  this  two-part  development  is  that  the  first  lemma  is  in  a 
form  which  can  be  used  several  times  in  Chapter  6.)  With  these  prelimin¬ 
aries,  Lemma  5.2-6  can  be  applied  first  to  and  p^,  then  to  p^  and  co^, 
to  yield  A. 

Finally,  Lemma  5.3-10  displays  the  simple  manipulations  of  definitions 
needed  to  prove  that  A  Implies  B. 
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Lemma  5.3-7  Let  S  be  any  (standard  or  modified)  initial  state  for  an  Lgg 
program  P,  and  let  2  be  any  halted  firing  sequence  starting  in  S.  Let  co 
be  t)(S,2)  and  let  p  be  any  computation  in  J„  .  Then  co  is  SOE-inclusive 
of  p. 

Proof : 

(1)  p  is  a  causal  permutation  of  co  such  that  $fp)  is  the  reduction  of  Q 

Def.  4.3-5 

(2)  co  is  also  in  ,  and  $(co)  is  the  reduction  of  2  Lemma  4.3-3 

(3)  co  la  a  computation  for  Int(P),  so  p  is  as  well 

(l)-fLeoma  4.3-2+Def.  4.2-6 

(4)  Let  Int(P)  be  (St,/, IE),  and  let  e  ■  Ex(d,k)  be  any  execution  in 

which  /(d)  is  a  structure  operation.  Then  dfSt-DL  Def.  4.3-2 

(5)  e  is  Initiated  in  p  =»  there  are  In(/(d>)  input  entries  to  e  in  p 

=9  there  are  ln(  /(d))  input  entries  to  e  in  co  =*  e  is  initiated  in  co 

(1)+Def .  4.2-6 

(6)  Let  NDE  be  the  set  of  executions  NDE  ■  {Ex(d,k) j  d(St-DL).  For  any 

Ex(d,k)  in  NDE  which  is  initiated  in  p,  the  initiating  entry  to  e 
is  preceded  in  both  p  and  co  by  the  initiating  entry  to  exactly 
k-1  other  executions  of  d  (4)+(2)+(5)+Cor .  4.3-1 

(7)  For  any  n  5  |$(p)  |  ■  |f>(co)  | ,  the  n**1  execution  in  NDE  to  initiate  in 

p  is  Ex(d,k)  iff  the  n**1  firing  in  $(p)  is  a  firing  of  d  and  is 
preceded  by  exactly  k-1  other  firings  of  d;  i.e.,  is  the  k1** 
firing  of  d  (l)+(2)+(6)+Def .  4.3-4 

(8)  iff  the  nC^  firing  in  $(co)  is  the  k6*1  firing  of  d  (l)+(2) 

(9)  iff  the  n^  execution  in  NDE  to  Initiate-  in  co  is  Ex(d,k)  Def.  4.3-4 
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(10)  Let  e  end  e'  be  any  two  distinct  structure  operation  executions 

such  that  e  Is  Initiated  In  p.  Then  both  e  and  e'  are  In  NDE 

(4)+(6) 

(11)  e'  Initiates  before  e  In  p  Iff  e  Is  the  n^  execution  In  NDE  to 

Initiate  in  p,  n  <  |<t>(p)|  ,  e'  is  the  and  m  <  n  iff  e  is  the 

n**1  execution  in  NDE  to  initiate  in  go,  n  5  |$(co)  | ,  e'  is  the 
and  m  <  n  iff  e'  initiates  before  e  in  go  (10)+(7)+(9) 

(12)  Any  execution  which  has  output  entries  in  go  has  output  entries  in  p. 

For  every  entry  f€p,  there  is  an  entry  with  the  same  value  in  go 

whose  transfer  has  the  same  source  as  T(f) .  For  any  execution  e 

and  for  any  j,  if  there  is  an  entry  EntQ(e,j)  in  p,  then  there  is 

P 

an  entry  Ent^(e.j)  in  go  with  the  same  value  (1) 

(13)  go  is  SOE- inclusive  of  p  (3)+(4)+(5)+(10)+(ll)+(12)+Def .  5.2-8 

A 

Lemma  5.3-8  Let  go  be  any  causal  computation  for  interpretation  (St,  /,IE) 
which  satisfies  the  Input/Output  Type,  Structure  Output,  and  Unique 
Pointer  Generation  Constraints.  Then: 

A:  For  any  pointer  p  which  is  the  value  of  an  entry  in  go,  the  first 
entry  in  w  with  value  p  is  an  output  entry  of  an  execution  which 
either  is  in  IE,  is  a  Copy  execution,  or  is  a  Select  execution 
which  is  in  no  reach  in  go. 

B:  For  any  pointer  p  which  is  the  value  in  <o  of  the  output  entries  of 
a  Copy  execution  C,  the  first  entry  in  go  with  value  p  is  one  of 
those  output  entries  of  C. 

C:  For  any  structure  operation  execution  e  initiated  in  co  and  for  any 


Assign ,  Update,  or  Delete  execution  A,  e  is  in  reach  R(A)  in  co  => 

A  is  Initiated  before  e. 

Proof :  By  induction  on  the  lengths  of  the  prefixes  a  of  u>.  Induction 
hypotheses  are  that  A  and  B  are  true  for  any  p  which  appears  as  the  value 
of  an  entry  in  a,  and  C  is  true  for  any  e  initiated  in  a. 

Basis:  |a|  >0.  A  and  B  are  vacuously  true. 

(1)  e  *  Ex(d,k)  is  a  structure  operation  execution  =»  In(/(d))  >  0  =» 

e  is  not  initiated  in  a  Defs.  5.1-1+4.2-6 

Induction  step:  Assume  the  induction  hypotheses  are  true  for  any  prefix 
of  length  n,  0  5n<  |co|,  and  consider  prefix  af  of  a>  of  length  n+1. 

(2)  Let  p  be  any  pointer  which  is  the  value  of  an  entry  in  af.  If  p 

is  the  value  of  an  entry  in  a,  then  A  and  B  hold  for  p  lnd.  hyp. 

(3)  Assume  that  p  is  not  the  value  of  any  entry  in  a.  Then  f  is  the 

first  entry  in  oo  with  value  p  (2) 

(4)  Let  e  be  the  execution  of  which  f  is  an  output  entry.  Either  e  is 

in  IE,  e  is  a  pi  execution,  or  e  is  a  Copy  or  Select  execution 

(2)+(3)+Const.  5.1-1 

(5)  e  is  initiated  in  a  (4)+Def.  4.2-7 

(6)  e  is  a  pi  execution  =>  3 j :  V(Ent(e,j))  ■  p  (3)+(4)+Defs.  4. 2-6+5. 1-2 

(7)  =»  there  is  an  entry  in  a  with  value  p  (5)+Def.  4.2-6 

(8)  e  is  not  a  pi  execution  (6)+(7)+(3) 

(9)  e  is  a  Select  execution  which  is  in  a  reach  in  =»  e  is  in  the  reach 

of  an  Update  execution  U  and  V(Ent(U,3))  ■  p 

(3)+(4)+Def.  6.1-6+Const.  5.1-4 

(10)  »  U  is  initiated  before  e  Inti  (5)+Def.  4.2-6+ind.  hyp.  C 
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(11)  =»  U  is  Initiated  in  a,  so  Ent(U,3)  is  in  a  (5)+Def.  4.2-6 

(12)  e  is  not  a  Select  execution  which  is  in  a  reach  in  co  (9)+(ll)+(3) 

(13)  e  either  is  in  IE,  is  a  Copy  execution,  or  is  a  Select  execution 

which  is  in  no  reach  in  co  (4)+(8)+(12) 

(14)  p  is  the  value  in  co  of  the  output  entries  of  a  Copy  execution  C  => 

p  is  not  the  value  in  co  of  the  output  entries  of  an  execution 
which  either  is  in  IE,  is  a  Copy  execution  other  than  C,  or  is  a 
Select  execution  which  is  in  no  reach  in  co  Const.  5.1-7 

(15)  =*  e  =  C  (3)+(4)+(13) 

(16)  A  and  B  are  true  for  any  p  which  is  the  value  of  an  entry  in  af 

(l)+(3)+(13)+(4)+(14)+(15) 

(17)  Let  e  be  any  structure  operation  execution  initiated  in  af.  e  is 

initiated  in  a  =»  C  is  true  for  e  ind.  hyp.  C 

(18)  Assume  f  is  the  initiating  entry  of  e  in  co.  Let  A  be  any  Assign, 

Update,  or  Delete  execution  such  that  e€R(A)  in  co.  Then  Ent(e,l) 
is  in  duration  D(A)  in  co  Defs.  5. 1-6+5. 1-8 


(19)  Either 

(19a)  Ent(A,l)  precedes  Ent(e,l)  in  the  same  access  history  in  co,  or 

(19b)  Ent(e,l)  is  in  access  history  Hw  for  some  p  which  is  the  value  of 

P 

the  output  entries  in  co  of  a  Copy  execution  C,  and  Ent(C,l)  is  in 
D(A)  in  co  (18)+Defs.  5. 1-5+5. 1-7 

(20)  (19a)  =»  A  initiates  before  e  in  co  Def.  5.1-4 

(21)  (19b)  =>  C€R(A)  Defs.  5. 1-6+5. 1-8 

(22)  A  There  is  an  entry  in  af  with  value  p  (18)+Defs.  5. 1-4+4. 2-6 

(23)  A  the  first  entry  with  value  p  in  co  is  an  output  entry  of  C 

(19b)+(16) 
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(24)  =>  there  is  an  output  entry  of  C  in  af 

(25)  a  C  is  initiated  in  a 

(26)  =»  A  is  initiated  before  C  in  a 

(27)  =»  A  is  Initiated  in  a 

(28)  =»  A  is  initiated  before  e  in  co 

(29)  C  is  true  for  any  e  initiated  in  af 


(22) 
Def.  4.2-7 
(24)+ind.  hyp.  C 
(25)+Def .  4.2-6 
(18)+Def.  4.2-6 
(17)-(21)+(28) 

A 


Lemma  5 . 3-9  Let  a  and  p  be  any  two  causal  computations  for  the  same 
interpretation  (St,  /,IE)  such  that  (3  is  SOE-inclusive  of  a-  If  p  satisfies 
the  Input/Output  Type,  Structure  Output,  and  Unique  Pointer  Generation 
Constraints,  then  a  satisfies  these  constraints. 


Proof : 

(1)  Let  f  -  EntQ(e,j)  be  any  entry  in  a,  and  let  e  *  Ex(d,k).  /(d) 

is  a  pi  action  =>  the  types  of  the  input  entries  of  e  are  not 
cons  trained  Cons  t .  5 . 1-1 

(2)  /(d)  is  not  a  pi  actor  and  e  has  input  entries  in  a  =»  for  all  j, 

V(Ent  (e,j))  =  V(Ent  (e,j)}  (1)+Def.  5.2-8 

P  “ 

(3)  The  type  of  V(Ent  (e,j))  depends  on  /(d)  and  j  as  in  Const.  5.1-1, 

P 

so  the  type  of  V(Ent  (e,j))  depends  on  /(d)  and  j  as  in 

<2 

Const.  5.1-1  (2) 

(4)  Let  the  source  in  T(f)  be  Src(e',i),  where  e’  =  Ex(d’,k’).  Then 

there  is  an  entry  g  in  p  such  that  V(g)  *  V(f)  and  T(g)  has  the 
same  source;  i.e.,  the  value  of  Src(e',i)  is  the  same  in  a  and  p 

(1)+Defs.  5. 2-8+4. 2-6 

(5)  The  type  of  V(g)  depends  on  /(d * )  and  i  as  in  Const  5.1-1,  so  the  type 

of  V(f)  depends  on  J(d’)  and  i  as  in  the  constraint  (4) 


-273- 


(6)  a  satisfies  the  Input/Output  Type  Constraint(l)+(3)+(5)+Const .  5.1-1 

(7)  For  any  pointer  p,  p  is  the  value  in  p  of  the  output  entries  of  a 

Copy  execution  C  =»  the  first  entry  in  p  with  value  p  is  one  of 

those  output  entries  of  C  Lemma  5.3-8 

(8)  For  any  Update  or  Delete  execution  U,  for  j=2,3,  if  there  is  an 

entry  Ent  (U,j),  then  there  is  an  entry  EntD(U,j),  and  they  have 

a  p 

the  same  value  Def.  5.2-8 

(9)  For  any  Select,  Update,  or  Delete  execution  e  initiated  in  a, 

e€R(U)  in  a  iff  e€R(U)  in  |3  (7)+Lemma  5.2-6 

(10)  e€R(U)  in  a  =»  e€R(U)  in  p  3  the  values  of  Src(e,l)  and  Src(e,2)  in 

(3  depend  on  V(EntD(U,2),  and  possibly  on  V(Ent„(U,3) ,  as  in 

P  P 

Constraint  5.1-4  (9)+Const.  5.1-4 

(11)  *»  the  values  of  Src(e.l)  and  Src(e,2)  in  a  depend  on  V(EntQ(U,2)) , 

and  possibly  on  V(Enta(U,3)) ,  as  in  the  constraint  (8)+(4) 

(12)  a  satisfies  the  Structure  Output  Constraint  (10)+(ll)+Const.  5.1-4 

(13)  Let  C  be  any  Copy  execution  initiated  in  a,  and  let  p  be  the  value 

of  C's  output  entries  in  a  (if  any),  a  does  not  satisfy  the 
Unique  Pointer  Generation  Constraint  =»  there  is  an  execution  e^C 
whose  output  entries  have  value  p  in  a  and  e  either  is  in  IE,  is 
a  Copy  execution,  or  is  a  Select  execution  which  is  in  no  reach 
in  a  Const.  5.1-7 

(14)  =»  C  and  e  have  output  entries  of  value  p  in  p  (l)+(4)+Def.  4.2-5 

(15)  A  if  e  is  a  Select  execution,  it  is  not  in  a  reach  in  p  (9) 

(16)  =»  p  does  not  satisfy  the  Constraint  Const.  5.1-7 

(17)  a  satisfies  the  Unique  Pointer  Generation  Constraint  (13)+(16) 

A 
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Lemma  5.3-10  Given  an  interpretation  Int  ■  (St,  /, IE),  let  p  be  the  equal 
pointer  relation  defined  from  Int.  Let  a^,  02*  and  a> 2  be  four  causal 

computations  for  Int  such  that  either  for  i*l,2,  is  a  prefix  of  a 

permutation  of  co^,  or  for  i«l,2,  0^  is  SOE-inclusive  of  a^.  If 

(1)  for  i*l,2,  for  every  structure  operation  execution  e  initiated  before 

the  last  entry  in  a^,,  and  every  Assign,  Update,  or  Delete  execution 
A,  e  is  in  the  reach  R(A)  in  a  iff  e  is  in  R(A)  in  co  , 
then  for  any  two  pointers  p^  and  p2,  (p1,a1>p(p2,a2)  =>  (p^ay^) p(p2,w2) . 

Proof : 

(2)  is  a  prefix  of  a  permutation  of  a =»  every  entry  in  a^,  is  in 

(3)  For  every  execution  e  which  is  in  IE  or  is  a  structure  operation 

execution,  for  any  integer  j  and  any  value  v,  there  is  an  entry 
f€a^  such  that  T(f)  has  source  Src(e,j)  (destination  Dst(e,j))  and 
V(f )  ■  v  =>  there  is  an  entry  g  in  o>^  such  that  T(g)  has  source 
Src(e,j)  (destination  Dst(e,j))  and  V(g)  -  v  (2)+Def.  5.2-8 

(4)  (p1,a1)p(p2,a2)  iff 

(4a)  there  is  a  source  s  ■■  Src(e,i),  for  some  e€IE  and  some  i,  such  that 

P1  ^p2^  is  t*le  va*ue  8  *n  ai  *  or 

(4b)  there  are  Select  execution  and  S2  such  that 

is  the  value  of  Src(Sifl)  in  a^,  1*1,2, 

Sj  is  not  in  any  reach  in  a^,  i«l,2, 

V(Ent  (S  ,2))  -  V(Ent  (S  ,2)),  and 
1  2 

(V(Enta  (S1,l)),a1)p(V(Ent^(S2,l)),a2),  or 
•.  1  there  is  a  pointer  q^p.^  such  that  DDq  (q.p^)  and  (q,a1)p(p2,a2) 


Def.  5.1-10 
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The  proof  of  the  Lemma  is  by  induction  on  n,  the  number  of  recursive 
applications  of  the  above  three  rules  necessary  to  derive  (P^»a^) P(P2,a2^ * 
(5)  (4a)  is  true  of  p^  and  p 2  =»  there  is  a  one-step  derivation,  so  n  *  1 
'(6)  The  last  step  in  the  shortest  derivation  is  an  application  of  (4b) 
or  (4c)  =»  there  is  a  pair  cf  pointers  and  q^»  not  the  same  as 

p^  and  p2,  such  that  it  has  been  derived  that  (q^  ,al^  P^2,<J2^ 

(7)  =»  there  is  at  least  one  additional  step  in  the  shortest  derivation, 

so  n  >  1 
Basis:  n  *  1 

(8)  (4a)  is  true  of  p^  and  p2  (4)+(6)+(7) 

(9)  All  entries  in  (a^)  whose  transfers  have  source  s  have  value 

p^  (p2)  (4a)+Def.  4.2-6 

(10)  All  entries  in  (co2)  whose  transfers  have  source  s  have  value 


Px  (P2)  (9)+(4a)+(3) 

(ID  (p1,oj1)p(p2,w2)  (10)+Defs.  4.2-6+5.1-10 

Induction  step:  Assume  that  the  Lemma  is  true  for  any  p^  and  p2  if  the 
shortest  derivation  of  (p^,a^) p(p2>ci2^  has  n  stePs»  «>0,  and  consider 

(12)  p^  and  p2  for  which  the  shortest  derivation  has  n+1  steps 

(13)  Either  (4b)  or  (4c)  is  applied  as  the  last  step  in  this 


(14)  (4b)  =»  has  output  entries  in 

(15)  =»  is  initiated  before  the  last  entry  in 

(16)  a  is  the  value  of  Src(S^,l)  in  co^,  for  i*l,2 

(17)  *»  is  not  in  any  reach  in 


(18)  A  V(Ent  (S.,2))  -  V(Ent  (S,,2)) 

0)^  l  w2  t 

Letting  q^  ■  V(Enta  (S^,l))  ■  V(Ent^  (S^,l)),  i“l,2,  (4b) 


(4)+(5) 
Def .  4 . 2-6 
Def .  4 . 2-7 
(3)+Def.  4.2-6 
(15)+(1) 
(3)+Def .  4.2-6 


(19) 
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(q1»d1)p(q2.a2)  =*  a  shortest  derivation  of  (p^otj)  p(P2*a2)  consists 
of  a  shortest  derivation  of  (q2»a2)p(q2*C2^  followed  by  the 
application  of  (4b)  (3)+(13)+Def .  4.2-6 

(20)  .  (qroJl)p(q2  ^  (12>+ind*  hyP* 

(21)  (4b)  .  (PrU1)p(P2.«2>  (16)-(20)+Def .  5.1-10 

(22)  For  any  pointer  q*p. ,  DD  (q,p.)  -  there  is  a  sequence  of  Copy 

X  CL^ 

executions  Cn,...,C  such  that  V(Ent  (C  ,1))-  q,  Px  is  the  value 
x  1“  * 

of  the  output  entries  of  C^,  and  if  m  >  1*  then  for  j»2,...,m, 

V(Ent  (C  ,1))  is  the  value  of  the  output  entries  of  C  jDef.  5.1-9 
al 

(23)  •  since  each  of  Cx . C^  has  input  and  output  entries  of  the  same 

(3)+Def .  5.1-9 

(22)+(23) 

(25)  =»  a  shortest  derivation  of  (p-^o^)  p(p2»u2>  consists  of  a  shortest 

derivation  of  (q.a.) p(p2»a2)  followed  by  an  application  of  (4c) (13) 


value  in  co^,  DD^(q,p^) 

(24)  (4c)  =»  3q#p.:  DD  (q.Pj)  and  (q.o^) p(p2»a2) 

X  Wj 


(26)  *»  (q,a)1)p(p2*“2^ 

(27)  (4c)  »  (p1,co1)p(P2.co2) 

(28)  (12)  »  (p1.co1)p(P2»w2) 


(12) +ind.  hyp. 
(24)+(26)+Def.  5.1-10 

(13) +(21)+(27) 


5.3.4  Conclusion 

This  subsection  concludes  the  proof  that  all  computations  in  a  job 
satisfy  the  last  five  constraints.  The  third  and  final  step  in  that  proof 
has  been  explained  at  the  start  of  Section  5.3;  it  is  here  repeated 
precisely  as: 


5.3-11  Let  S1  and  S2  be  any  two  equal  initial  standard  states  for 
the  same  LBg  program  ?  and  let  81  and  be  any  two  halted  firing  sequences 
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starting  in  5^  and  respectively.  Let  go^  »  TlCS^^)  and  co2  =  r)(S2,22), 
and  assume  that  these  are  computations  for  Int(P) .  Let  and  a2  be 
any  two  causal  computations  for  Int(P)  and  let  pbe  the  equal  pointer 
relation  defined  from  Int(P).  If,  given  Int(P), 

(1)  for  i*l,2,  for  any  structure  operation  execution  e,  e  is  initiated  in 

a£**a  is  initiated  in  for  every  integer  j,  if  there  is  an  entry 

Ent  (e,j)  in  a.,  then  there  is  an  Ent  (e,j)  in  go,  with  the  same 
l  oo^  i 

value,  and  if  there  is  an  entry  in  whose  transfer  has  source 
Src(e,j),  then  there  is  an  entry  in  with  the  same  value  whose 
transfer  has  source  Src(e,j), 

(2)  for  i=l,2,  for  every  structure  operation  execution  e  initiated  in 

and  any  Assign,  Update,  or  Delete  execution  A,  e€R(A)  in  iff 
e€R(A)  in  a^,  and 

(3)  for  any  pointers  p^^  and  p2,  (p1,a1)p(p2,a2)  =»  (pj.a^) p(p2,co2) , 

then  satisfies  the  Atomic  Output,  Structure  Output,  and  Unique  Pointer 
Generation  Constraints,  and  the  pair  .consisting  of  and  a 2  satisfies  the 
Initial  Structure  and  the  First/Next  Output  Constraints. 

Proof :  (Since  the  earlier  explanation  is  conceptually  complete,  the  details 
of  the  proof  have  been  relegated  to  Appendix  D.)  yy 

All  of  the  elements  presented  in  this  section  are  now  brought 
together,  to  verify  that: 

Theorem  5.3-3  EE(Lgg,S)  is  a  Structure-as-Storage  model. 


hssL- 
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(1)  EE(Lgg.S)  *  ( V ,  L,  A,  In ,E)  is  an  entry-execution  model  Thm.  4.3-1 

(2)  There  is  a  distinct  subset  V  of  V  containing  pointers 

Defs.  2. 2-1+4. 3-1 

(3)  The  action  domain  A  contains  the  following  eight  actions,  and  In 

assigns  to  each  the  Indicated  input  arity:  Fetch(l),  First(l), 

Next (2) ,  Select(2),  Copy(l),  Assign(2)  Update(2),  and  Delete(2) 

Defs.  2 . 2-3+2 . 2-5+4 . 3-1 

(4)  Let  (Int,J)  be  any  expansion  in  £.  Then  there  is  an  L  program  P 

BS 

such  that  this  is  an  expansion  of  P  Def.  4.3-1 

(5)  Let  J  be  any  job  in  J.  Then  J  is  a  job  for  Int  (l)+(4)+Def.  4.2-3 

(6)  Int  ■  Int(P)  and  there  is  an  equivalence  class  E  of  initial 

standard  states  for  P  such  that  J  ■  J_  (4)+Def.  4.3-2 

(7)  Let  and  S ^  be  any  two  states  in  E,  and  let  2^  and  ^  t>®  any  two 

halted  firing  sequences  starting  in  S ^  and  S^.  For  1*1,2,  let  p^ 

be  any  computation  in  J„  .  Then  p,  is  a  causal  permutation  of 

^i#^i  * 

“i  "  Tl(JSjL*a±^  Def.  **3-5 

(8)  co,  is  also  in  Jc  and  $(co,)  is  the  reduction  of  2,  Lemma  4.3-3 

(9)  co,  and  p  are  both  in  J_,  hence  both  are  computations  for  Int*Int(P) 

(7)+(8)+(5)+(6)+Defs.  4. 3-3+4. 2-3 
(IQ)  co^  is  SOE-inclusive  of  p^  (7)+Lemma  5.3-7 

(11)  co^  is  causal  (7)+Lemma  4.3-2 

(12)  co^  satisfies  the  Input/Output  Type  Constraint,  given  Int(P) 

(7)+Lemma  5.3-1 

(13)  co^  satisfies  the  Structure  Output  Constraint,  given  Int(P) 

(7)+Lemma  5.3-3 
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(14)  £oa  satisfies  the  Unique  Pointer  Generation  Constraint,  given  lnt(P) 

(7)+Lemma  5.3-6  . 

(15)  For  any  pointer  p,  p  is  the  value  of  the  output  entries  in  of  a 

Copy  execution  C  =»  the  first  entry  in  with  value  p  is  one  of 
those  output  entries  of  C  (ll)+(9)+(12)-(14)+Lemma  5.3-8 

(16)  For  any  structure  operation  execution  e  initiated  in  p^,  and  any 

Assign,  Update,  or  Delete  execution  A,  e€R(A)  in  p^  «*  efR(A)  in 

(7)+(ll)+(9)+(10)+(15)+Lemma  5.2-6 

(17)  p^  satisfies  the  Input/Output  Type,  Structure  Output,  and  Unique 

Pointer  Generation  Constraints  given  Int(P) 

(7)+(9)+(10)-(14)+Lemma  5.3-9 

(18)  For  any  pointer  p,  p  is  the  value  of  the  output  entries  in  PA  of  the 

Copy  execution  C  =>  the  first  entry  in  p^  with  value  p  is  one  of 
those  output  entries  of  C  (7)+(9)+(17)+Lemma  5.3-8 

(19)  Let  be  any  prefix  of  p^.  Let  yf  be  any  prefix  of  and  let  e  be 

the  execution  of  which  f  is  an  output  entry.  Then  yf  is  a  prefix 


of  p^,  so  e  is  initiated  in  y 

(7)+Def .  4.2-7 

(20) 

is  causal 

(19)+Def .  4.2-7 

(21) 

is  in  J^,  and  so  is  a  computation  for  Int(P) 

(19)+(7)+(5)+Defs.  4. 3-3+4. 2-3 


(22)  For  any  structure  operation  execution  e  *  Ex(d,k)  initiated  in  a^, 

and  any  Assign,  Update,  or  Delete  execution  A,  e€R(A)  in  iff 
e€R(A)  in  p  (20)+(7)+(21)+(9)+(19)+(18)+Lemma  5.2-5 

(23)  A  there  are  In(/(d))  input  entries  to  e  in  a^,  hence  in  p^,  so  e  is 

initiated  in  p^  (19)+Def.  4.2-6 


(22) 


(25)  Let  f  be  any  entry  in  c^.  Then  f  is  in  {3^ 

(26)  Let  T(f)  be  (Src(Ex(d,k) ,i) ,  Dst(Ex(d' ,k') ,j)) .  Constraint  5.1-1 

dictates,  one  or  two  times,  what  the  type  of  V(f)  should  be:  once 
based  on  /(d)  and  i,  and  again  based  on  Z(d')  and  j  Const.  5.1-1 

(27)  Both  of  the  types  so  dictated  match  the  type  of  V(f)  (25)+(17) 

(28)  satisfies  the  Input/Output  Type  Constraint  (25)+(21)+Const.  5.1-1 

(29)  J  satisfies  the  Pointer  Transparency  Constraint  (4)+(5)+Lemma  5.3-2 

(30)  Let  e  be  any  structure  operation  execution.  If  e  is  initiated  in  a A 

there  are  In(/(d))  input  entries  to  e  in  a^,  so  the  same  entries 
are  in  {3^  and  oo^,  so  e  is  initiated  in  co^ .  For  every  integer  j, 
if  there  is  an  entry  Ent^  (e,j)  in  a^,  then  there  is  an  entry 
Ent  (e,j)  in  co  with  the  same  value.  If  there  is  an  entry  in  a 

CO^  X  1 

whose  transfer  has  source  Src(e,j),  there  is  one  in  with  the 
same  value  whose  transfer  has  the  same  source  (25)+(7)+Def .  4.2-6 

(31)  Let  p  be  the  equal  pointer  relation  defined  from  Int.  For  any  two 

pointers  px  and  p2,  (p^c^) p(p2,a2)  =>  (Pj.Pj) p(p2>p2) 

(20)+(7)+(21)+(9)+(19)+(22)+Lemma  5.3-10 

(32)  -  (p1,co1)p(p2,co2)  (7)+(ll)+(9)+(10)+(16)+Lemma  5.3-10 

(33)  Given  lnt(P),  satisfies  the  Atomic  Output,  Structure  Output,  and 

Unique  Pointer  Generation  Constraints,  and  the  pair  consisting  of 
and  a2  satisfies  the  Initial  Structure  and  First/Next  Output 
Constraints  (7)+(9)+(20)+(21)+(30)+(22)+(24)+(31)+(32)+Len*na  5.3-11 

(34)  EE(Lgg,S)  is  an  S-S  model 

(l)-(6)+(7)+(19)+(28)+(33)+(29)-H)efs.  4. 3-3+5. 1-1 


Chapter  6 

A  Generalized  Detemlnacy  Proof 

A  novel  method  for  guaranteeing  determinacy  of  LfiS  programs  has  been 
presented  in  Chapter  3.  Its  key  feature  is  the  withholding  of  read 
pointers  (p,R)  output  by  a  Select  firing  so  long  as  there  are  write 
pointers  (p,W)  on  arcs  of  the  program.  It  was  argued  that  this  scheme 
guarantees  freedom  from  conflict;  the  purpose  of  this  chapter  and  the 
following  is  to  show  that  such  freedom  implies  determinacy,  and,  in  turn, 
functionality. 

The  entry-execution  model  was  introduced  in  Chapter  4  as  being 
particularly  well-suited  to  the  statement  and  proof  of  assertions  about 
specific  operations.  Chapter  5  has  illustrated  its  use  in  concisely 
describing  the  operations  characterizing  a  Structure-as-Storage  language. 
The  current  chapter  presents,  in  entry-execution  terms,  a  set  of  seven 
Determinacy  Axioms  for  an  S-S  model,  and  proves  that  they  are  sufficient 
to  guarantee  determinacy.  Chapter  7  then  shows  that  the  model  EECLq.M) 
satisfies  these  axioms,  hence  is  determinate,  and  that  this  implies  the 
functionality  of  programs  run  on  the  modified  interpreter. 

This  chapter  commences  with  the  formal  definition  of  determinacy  in 
an  entry-execution  model  (Section  6.1).  The  Determinacy  Axioms  are  pre¬ 
sented  next  (Section  6.2).  The  final  two  sections  contain  the  proof  that 
the  Axioms  are  sufficient  for  determinacy  in  any  S-S  model. 


I 
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6.3,  The  Definition 

A  rough  definition  of  determinacy  in  the  standard  model  of  data  flow 
has  already  been  given,  in  Section  3.1.2  (q.v.).  With  the  elegant  vocab¬ 
ulary  of  the  entry-execution  model,  this  is  easily  translated  into  a 
more  concise  statement. 

Determinacy  is  a  property  of  individual  programs  in  a  data-flow 
language.  To  each  such  program  P  there  corresponds  an  expansion  (Int , J) 
in  an  entry-execution  model  of  that  language.  Therefore,  in  that  model, 
determinacy  is  a  property  of  expansions.  Program  P  is  determinate  iff, 
for  each  equivalence  class  E  of  initial  states  for  P,  any  two  firing 
sequences  starting  in  any  states  in  E  satisfy  the  five  Determinacy 
Assertions.  Each  such  equivalence  class  E  corresponds  to  a  single  job 
JE  in  J.  A  job  is  just  a  set  of  computations,  which  are  the  entry- 
execution  analogs  of  firing  sequences.  Therefore,  an  expansion  is 
determinate  iff,  for  each  job  J€J,  any  two  computations  in  J  satisfy 
corresponding  conditions. 

The  first  and  fourth  of  the  Determinacy  Assertions  together  state: 
For  any  two  actors  d^  and  d and  any  integers  i,  j,  k,  and  m,  there  is  a 
firing  of  d^  and  an  mfcl1  firing  of  dj»  and  a  value  is  transferred  from 
the  number-i  output  of  the  latter  to  the  number-j  input  of  the  former,  in 
firing  sequence  iff  the  same  is  true  of  firing  sequence 
corresponding  condition  on  two  computations  and  is:  There  is  an 
entry  with  transfer  (Src(Ex(d2»m) ,i) ,  Dst(Ex(d^,k) , j))  in  iff  there 


is  an  entry  with  that  transfer  in  oc^. 


The  second  and  third  Determinacy  Assertions  concern  the  value  of  the 
number-j  input  to  the  kth  firing  of  an  actor  d.  These  translate  directly 

into  statements  about  the  values  of  the  entries  in  co^  and  whose 

transfers  have  destination  Dst(Ex(d,k) ,j)  (of  which  there  is  at  most  one 
per  computation).  To  wit:  There  is  a  one-to-one  map  F  over  pointers  such 
that,  for  any  entries  f  in  and  g  in  with  T(g)  *  T(f ) , 

a.  V(f )  is  not  a  pointer  iff  V(g)  is  not  a  pointer, 

b.  if  those  values  are  not  pointers,  then  they  are  the  same,  and 

c.  if  those  values  are  pointers,  then  F(V(f))  is  defined  and  equal 

to  V(g) . 

The  final  Determinacy  Assertion  is  of  the  equality  of  the  reaches  in  52^ 
and  ^2  each  Assign,  Update,  or  Delete  firing.  The  concept  of  reach 
has  already  been  refined  and  translated  into  entry-execution  terms  in 
Chapter  5.  The  requirement  for  equal  reaches  is  combined  with  those 
translated  above  to  form: 


Definition  6.1-1  An  expansion  (lnt,J)  is  determinate  iff  for  each  job 
J€J,  any  two  computations  in  J  are  equivalent  under  some  one-to-one 
pointer  correspondence. 


A  pointer  correspondence  F  is  any  map  over  pointers 


Two  computations  and  co^  are  equivalent  under  pointer  correspond¬ 
ence  F  iff  the  following  are  all  true: 


1.  The  sets  of  transfers  of  the  entries  in  w.  and  co_  are  Identical. 
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2.  For  any  two  entries  and  g€o>2  such  that  T(g)  =  T(f), 

a.  V(f)  is  not  a  pointer  iff  V(g)  is  not  a  pointer, 

b.  if  those  values  are  not  pointers,  then  they  are  the  same,  and 

c.  if  those  values  are  pointers,  then  F(V(f))  is  defined  and  equal 
to  V(g) . 

3.  For  any  Assign,  Update,  or  Delete  execution  A,  the  reach  R(A)  in 

equals  the  reach  R(A)  in  * 

A 

6 . 2  The  Axioms 

This  section  presents  the  seven  Determinacy  Axioms  for  an  S-S  model. 
These  include  the  six  Determinate  Schema  Axioms,  plus  freedom  from 
conflict  between  structure  operations.  The  Determinate  Schema  Axioms  are 
sufficient  to  guarantee  determinacy  of  programs  in  languages  without 
structure  operations;  consequently,  they  are  well-understood  and  have  been 
made  to  hold  by  design  for  most  existing  parallel-programming  languages. 
These  are  succinctly  presented  in  terms  of  a  state- transition  model  of 
computation  in  Denning  [9];  here  they  are  translated  into  entry-execution 
terms. 

The  first  two  axioms  are  causality  and  the  Prefix  Property.  These 
are  Implicit  in  the  state-transition  paradigm ,  and  they  also  hold  for  the 
one  entry-execution  model  which  has  been  constructed.  They  are  not 
inherent  in  the  entry-execution  view,  however,  and  so  should  be  explicit. 

Axiom  6,2-1  (Causality)  For  any  expansion  (Int,J),  every  computation  in 
every  job  in  J  is  causal  with  respect  to  Int. 


A 


Axiom  6.2-2  (Prefix  Property)  For  any  expansion  (Int,J),  every  job  in 
possesses  the  Prefix  Property. 

A 

The  third  axiom  states  simply  that  any  action  except  a  structure 
operation  is  deterministic;  i.e.,  in  all  computations  in  which  it  has  the 
same  set  of  input  values,  it  produces  the  same  set  of  output  values. 

Definition  6.2-1  Given  any  expansion  (Int,J)  where  Int  -  (St,  /,1E),  any 
action  a  is  deterministic  iff  the  following  is  true  for  any  two  (not 
necessarily  distinct)  computations  co^  and  co^  in  any  two  jobs  in  J:  For 
1=1»2,  let  »  Ex(d^,k^)  be  any  execution  not  in  IE  such  that  /( d^)  =  a. 
Then 

for  all  j,  there  is  an  entry  Ent(e^,j)  in  iff  there  is  an  entry 
Ent(e2»j)  in  and  if  so,  those  entries'  value  are  equal 
=>  for  all  i,  the  value  of  Src(e^,i)  in  (if  any)  equals  the  value 
of  Src(e.,i)  in  <o_  (if  any). 

A 

Axiom  6.2-3  (Determinism)  For  any  expansion,  all  actions  except  the 
eight  structure  operations  (Fetch,  First,  Next,  Select,  Assign,  Update, 
Delete,  and  Copy)  are  deterministic. 

A 

The  fourth  Determinacy  Axiom  completes  the  characterization,  begun 
in  Chapter  4,  of  a  job  as  the  set  of  computations  by  a  single  program  on 
a  particular  set  of  inputs.  Reviewing  the  development  to  this  point:  The 
set  of  initial  interpreter  states  which  represent  that  program  and  set  of 
inputs  constitutes  an  equivalence  class  E.  An  individual  program  input  X 
is  represented  in  an  initial  state  by  the  value  of  a  token  on  a  particular 
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program  input  arc  b  of  P.  In  a  program  with  no  structures,  X  is  the 
same  in  two  initial  states  iff  the  tokens  on  b  have  identical  non-pointer 
values.  However,  the  same  structure  input  can  be  represented  by  different 
pointers  in  different  states  in  E  (if  the  components  of  the  heaps  to  which 
they  point  are  equal) . 

In  the  entry-execution  model  of  data  flow,  P  corresponds  to  an  expan¬ 
sion  (Int.J),  where  Int  *  (St,/, IE),  and  E  gives  rise  to  a  job  J  in  J. 

The  values  residing  on  program  input  arcs  of  P  In  initial  states  in  E  are 
represented  as  the  values  of  output  entries  of  executions  in  IE  in  the 
computations  in  Jg.  Because  of  the  disparity  between  pointer-  and  non¬ 
pointer-valued  inputs,  the  definition  of  job  places  no  restrictions  on  the 
values  of  output  entries  of  executions  in  IE. 

The  pointer-valued  output  entries  of  an  execution  in  IE  may  have 
arbitrarily-different  values  p^  and  p2  in  different  computations  gOj  and 
in  J£.  But  those  pointers  are  related;  in  particular,  (plfC0j)p(p2,©2)  . 

The  significance  of  this  relationship  is  evident  in  the  constraints  on  the 
output  entries  in  and  a>2  of  executions  having  p^  and  p2  as  inputs 
(Constraints  S.l-A  and  5.1-5). 

No  constraints  on  the  output  entries  of  executions  in  IE  are  necessary 
in  a  general  entry-execution  model.  Constraints  5.1-4  and  5.1-5  on 
pointer-valued  entries  are  necessary  in  any  S-S  model .  And  the  following 
constraint  on  the  heretofore-unspeclfled  non-pointer-valued  entries  is 
necessary  in  any  determinate  entry-execution  model. 
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Axlom  6.2-4  For  any  expansion  (Int,J)  where  Int  =  (St,/, IE),  for  any  efIE, 
any  integer  i,  and  any  two  computations  and  in  a  job  in  J,  the  value 
of  Src(e,i)  in  is  not  a  pointer  iff  the  value  of  Src(e,i)  in  is  not 
a  pointer,  and  if  those  values  are  both  not  pointers,  then  they  are  equal. 

A 

The  next  two  axioms  concern  aspects  of  the  control  structure  and 
local-memory  structure  of  a  program.  Both  of  these  make  use  of  the 
concept  of  eligible  transfers ;  analogous  to  enabled  operators  in  a  state, 
the  eligible  transfers  at  the  end  of  a  computation  a  are  just  those 
transfers  which  can  immediately  follow  a  in  some  longer  computation: 


Definition  6.2-2  Given  a  job  J  and  any  computation  a  in  J,  the  set 
ETj(a)  of  eligible  transfers  (at  the  end  of  £>  is  defined  by 
ETj(a)  *  {t|  3f :  T(f)  *  t  and  af€J) 


The  first  of  the  two  axioms  combines  a  pair  of  Denning's:  persistence 
and  non-interference.  In  a  state-transition  model  of  a  language  like  data 
flow,  persistence  means  that  once  an  operator  is  enabled  to  fire,  it 
cannot  be  disabled  by  subsequent  firings  of  other  operators;  i.e.,  it 
remains  enabled  until  it  fires,  and  it  must  fire  before  the  firing 
sequence  can  halt.  Non-interference  concerns  the  sources  of  the  values 
transferred  to  the  number-i  input  of  the  j ^  firing  of  actor  d^  in  differ¬ 
ent  firing  sequences.  If  in  one  firing  sequence,  that  value  is  trans- 
f erred  from  the  output  of  the  x  firing  of  actor  d£»  then  in  any  other 

firing  sequence  in  which  there  is  a  j^  firing  of  d^  and  a  value  is  trans- 

th 

ferred  to  its  number-1  input,  that  transfer  is  from  the  output  of  the  k 
firing  of 
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In  an  entry-execution  model,  the  existence  of  a  j firing  of  is 
represented  as  the  existence  of  a  complete  set  of  input  entries  to  the 
execution  Ex(d^,j).  Therefore,  both  persistence  of  firings  and  non¬ 
interference  between  transfers  can  be  combined:  Once  a  firing  is  enabled, 
a  set  of  input  entries  to  the  corresponding  execution  becomes  eligible. 
Persistence  of  firings  implies  that  some  set  of  input  entries  remains 
eligible,  regardless  of  any  subsequent  entries,  until  it  occurs.  Further¬ 
more,  non-interference  means  that  the  sources  of  the  transfers  of  those 
entries  are  the  same,  regardless  of  when  the  entries  occur.  Thus,  once 
a  transfer  is  eligible,  that  same  transfer  —  same  destination,  same 
source  —  remains  eligible  until  it  occurs.  I.e.,  eligibility  of 
transfers  is  persistent: 

Axiom  6.2-5  (Persistence)  For  any  expansion  (Int,J),  for  any  job  JtJ  and 
any  computation  ag  in  J,  for  any  transfer  t*T(g) ,  tfETj(a)  «  t€ETj(ag). 

A 

This  axiom  is  inductively  extended  in  the  following  lemma. 

Lemma  6.2-1  For  any  persistent  expansion  (Int,J),  let  o>  be  any  computa¬ 
tion  in  any  J  (J  and  let  t  be  any  transfer  in  ETj(o>).  Then  for  any  y  such 
that  coy  Is  in  J: 

Jf€y:  T(f)  -  t  -  tCETjCuy) 

Proof:  By  induction  on  the  length  of  y. 

Basis:  |y|  •  0.  Then  ET  ^ (coy)  ”  ETj(w),  so  t€ETj(ffly)* 
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Induction  step:  Assume  the  Lemma  is  true  for  any  y  of  length  n>0,  and 
consider 

(1)  cay  “  co68 >  where  |y|  •  n+1 

(2)  2f €y:  T(f )  -  t  •  gf€6:  T(f)  -  t  a  T(g)#t  (1) 

(3)  •»  t(ETj(co6)  ind.  hyp. 

(4)  =,  tcETjCcogg)  (2)+Ax.  6.2-5 

A 

The  second  axiom  concerned  with  control  is  commutativity.  Denning 
states  that  if  two  adjacent  firings  in  a  sequence  can  be  swapped,  then 
doing  so  should  not  change  the  resultant  control  state.  I.e.,  if 
and  S2<|>2(Pi  are  both  firing  sequences  starting  in  state  S,  then  at  least 
the  control  portions  of  the  states  and  are  equal.  Beyond 

this  explicit  axiom,  there  is  implicit  in  the  state-transition  paradigm 
the  assumption  that  firing  the  same  actor  in  either  of  two  equal  control 
states  results  again  in  equal  control  states.  I.e.,  if  S'ffi<pj(P2  and 
S*&P2<Pi  have  equal  control  portions,  then  for  any  0  such  that  both 
and  &p2<Pi0  are  firing  sequences  starting  in  S,  and  ^ave 

equal  control  portions.  Both  of  these  assertions  —  Denning's  explicit 
axiom  and  the  tacit  assumption  about  state  transitions  —  must  be  made 
explicit  in  the  entry-execution  model;  the  following  axiom  combines  them 
into  a  single  simple  statement: 


Axiom  6.2-6  (Commutativity)  For  any  expansion  (Int,J),  for  any  job  J€ J, 
and  for  any  computation  agf6  in  J  such  that  afg6  is  also  in  J, 


ETj(afg6)  -  ETj(ogf6) 
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The  seventh  and  final  Determlnacy  Axiom  is  the  freedom-from-conflict 
axiom.  This  principle  has  already  been  explained  (at  the  end  of  Section 
3.1),  and  is  here  translated  into  entry-execution  terms  with  the  aid  of 
the  following  observation:  Let  <p^  and  <p^  be  two  firings  in  a  firing 
sequence  Q  starting  in  state  S  such  that,  for  1*1,2,  <p^  is  the  firing 

of  actor  d^.  Let  e^  and  e2  be  the  executions  Ex(d^,k^)  and  Ex(d2>k2) 
respectively.  If  <p^  and  <p2  potentially  interfere,  then  in-q(3',2), 

Ent(e^,l)  and  Ent(e2»l)  are  in  the  same  access  history ,  and  one  of  e^  and 
e^  la  in  the  reach  of  the  other. 

Axiom  6.2-7  (Freedom  from  conflict)  For  any  expansion  (Int, J) ,  for  any 
job  J(J,  there  is  no  computation  agf  in  J  satisfying  all  the  following: 

1.  f  and  g  initiate  distinct  executions  e^  and  e2  respectively  in  agf, 

2.  Ent^.l)  and  Ent(e2,l)  are  in  the  same  access  history  in  agf, 

3.  e^  is  in  the  reach  R(e2>  in  agf,  and 

A.  there  is  a  computation  afg  in  J  with  T(f)  ■  T(f)  and  T(g)  ■  T(g). 

A 

6.3  The  Basic  Requirements  for  Equivalence  of  Computations 

This  section  presents  an  Important  general  result  concerning  the 
equivalence  of  two  computations  and  co2  in  a  job  which  satisfies  the 
first  four  of  the  Determlnacy  Axioms:  The  first  part  of  the  definition 
of  equivalence  —  identical  sets  of  transfers  —  plus  one  additional  simple 
condition  together  imply  the  remaining  three  components  of  equivalence 
—  equal  non-pointer  values,  corresponding  pointer  values,  and  equal 
reaches.  The  reason  for  presenting  this  here  as  a  separate  significant 


result  is  that  it  is  anticipated  that  future  research  will  explore  issues 
other  than  strict  determlnacy  which  concern  equivalence;  it  is  hoped  that 
these  endeavors  will  be  aided  by  the  pre-existence  of  such  a  general  proof. 

The  second  of  the  two  conditions  sufficient  for  equivalence  is  set 
forth  in  the  following: 

Definition  6.3-1  Given  a  job  J,  let  a  and  (3  be  any  two  computations  in  J. 
Then  p  preserves  the  order  of  dependent  accesses  in  a  iff  the  following 
is  true  of  every  structure  operation  execution  e:  Let  A 
be  any  Assign,  Update,  or  Delete  execution.  If  EntQ(A,l)  and  Enta(e,l) 
are  in  the  same  access  history  in  a  and  e  is  in  the  reach  R(A)  in  a,  then 
A  initiates  before  e  in  p.  If  Ent^(A,l)  and  Ent^(e,l)  are  in  the  same 
access  history  in  P  and  e  is  in  R(A)  in  P,  then  A  initiates  before  e  in  a. 

A 

Relating  this  to  the  firing  sequences  modeled  by  a  and  P,  Ent(A,l) 
and  Ent(e,l)  are  in  the  same  access  history  iff  the  firings  which  they 
represent  input  the  same  pointer,  i.e.,  access  the  same  node.  If  e  is  in 
the  reach  of  A,  then  the  state  change  effected  by  the  firing  represented 
by  e  depends  upon  the  inputs  to  the  firing  represented  by  A.  Thus  the 
property  just  defined  is  analogous  to  the  following  relationship  between 
firing  sequences:  If  in  one  firing  sequence,  the  result  of  a  firing  which 
accesses  node  n  depends  upon  another  firing  which  also  accesses  node  n, 
then  those  firings  occur  in  the  same  order  in  the  other  firing  sequence. 

The  proof  that  this  together  with  equal  transfer  sets  imply  the  three 
remaining  components  of  equivalence  proceeds  by  induction  on  the  lengths 


of  the  prefixes  of  one  of  the  computations.  Because  It  Is  very  long,  this 
proof  Is  broken  Into  three  lemmas,  one  for  each  component.  This 
requires  that  each  component  be  given  a  name,  and  furthermore,  that  a 
modified  version  of  each  be  made  available  to  relate  one  computation  to  a 
prefix  of  the  other.  This  is  done  is  the  following  series  of  definitions. 

/ 

Definition  6.3-2  A  computation  p  is  transfer-inclusive  of  another  compu¬ 
tation  a  iff  for  each  entry  f  in  a,  there  is  an  entry  g  in  p  with  the. 
same  transfer.  Two  computations  are  transf er-congruent  iff  each  is 
transfer-inclusive  of  the  other. 

A 

Definition  6.3-3  Given  two  computations  a  and  (3  such  that  p  is  transfer- 
inclusive  of  a,  p  is  NPE-inclusive  of  a  iff  the  following  1b  true  of  every 
entry  f  in  a:  Let  g  be  the  entry  in  p  with  T(g)  -  T(f).  Then  V(f)  is  not 
a  pointer  iff  V(g)  is  not  a  pointer,  and  if  those  values  are  not  pointers, 
then  they  are  the  same. 

A 

Definition  6.3-4  Given  two  computations  a  and  p  such  that  p  is  transfer- 
inclusive  of  a,  and  a  pointer  correspondence  F,  p  is  PE-inclusive  of 
under  F  iff  the  following  is  true  for  every  entry  f  in  a:  Let  g  be  the 
entry  in  p  with  T(g)  ■  T(f).  Then  V(f)  is  a  pointer  iff  V(g)  is  a  pointer, 
and  if  they  are  pointers,  then  F(V(f))  is  defined  and  equal  to  V(g). 

A 

Definition  6.3-5  Computation  p  is  reach-inclusive  of  computation  a  iff, 


for  each  structure  operation  execution  e  initiated  in  a,  and  each  Assign 


-293- 

Update,  or  Delete  execution  A,  e  is  in  reach  R(A)  in  a  iff  e  is  in  R(A) 
in  p. 

A 

Definition  6.3-6  Computation  p  is  inclusive  of  computation  a  under 
pointer  correspondence  F  iff  it  is  transfer-inclusive,  NPE-incluslve, 
PE-inclusive  under  F,  and  reach-inclusive  of  a. 

A 

Finally,  the  proof  given  here  not  only  establishes  the  equivalence 

of  co^  and  but  also  specifies  the  pointer  correspondence  under  which 

they  are  equivalent.  This  is  the  natural  pointer  correspondence  F  , 

“l»“2 

defined  below: 

Definition  6.3-7  Given  two  computations  a  and  p  for  the  same  interpreta¬ 
tion  such  that  p  is  transfer-inclusive  of  a,  the  natural  pointer  corres¬ 
pondence  for  a  and  Fq  ^ ,  is  given  by : 

If  p  is  the  value  of  the  output  entries  of  a  Copy  execution  C  in  a, 

then  F  Q(p)  is  the  value  of  the  output  entries  of  C  In  B, 
a,p 

else  if  there  is  a  pointer  p'  such  that  p*  is  not  the  value  of  the 

output  entries  of  a  Copy  execution  in  p  and  (p,a)p(p' ,p) , 

then  Fa  p(p)  -  p’, 

else  F  a(p)  is  undefined. 
a,p 

A 

There  are  two  simple  preliminary  results  which  are  needed  for  this 


and  succeeding  proofs.  The  first  has  already  been  established  for  the 
particular  model  EE(LgS,S);  for  generality,  it  is  here  shown  to  be  true 
for  every  S-S  model. 
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Corollary  6.3-1  Let  a  and  g  be  any  causal  computations  for  the  same 
Interpretation  such  that  a  Is  a  prefix  of  g,  and  let  e  be  any  structure 
operation  execution  Initiated  In  a.  Then  for  any  Assign,  Update,  or 
Delete  execution  A,  e  Is  in  the  reach  R(A)  In  g  Iff  e  Is  in  R(A)  In  a- 

Proof;  For  any  pointer  p,  p  Is  the  value  of  the  output  entries  in  p  of  a 
Copy  execution  C  =»  the  first  entry  in  p  with  value  p  is  one  of  those 
output  entries  of  C  [Lemma  5.3-8].  The  Corollary  then  follows  directly 
from  Lena  5.2-6. 

A 

The  second  preliminary  result  first  states  that  any  natural  pointer 

correspondence  is  one-to-one.  It  then  goes  on  to  show  the  following 

fundamental  relationship  between  two  equivalent  computations  a  and  p: 

For  any  pointer  p,  (p,a)p(F  _ (p) ,B) .  The  importance  of  this  will  become 

a,p 

apparent  in  the  proof  in  Chapter  7  that  only  a  functional  L^,,  program  can 
give  rise  to  a  determinate  expansion  in  EECL^.H). 

Theorem  6,3-1  Let  a  and  p  be  any  two  causal  computations  for  the  same 

interpretation  (St,  /,IE)  such  that  p  is  transfer-inclusive  of  a.  Then 

F  ■  F  .  is  one-to-one  over  the  set  of  pointers  over  which  it  is  defined. 

a»P  r 

Furthermore,  if  p  is  PE-inclusive  of  a  under  F,  then  for  each  pointer  p 
which  is  the  value  of  an  entry  in  a,  (p,a)p(F(p) ,p) . 

Proof: 

(1)  Let  p  be  any  pointer  for  which  F(p)  is  defined,  and  let  p'  -  F(p). 

Then  either  p  (p’)  is  the  value  in  a  (p)  of  the  output  entries  of 
a  Copy  execution  C,  or  (p,a)p(p',p)  Def.  6.3-7 

(2)  If  p  is  the  value  in  a  of  the  output  entries  of  a  Copy  execution  C, 
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then  there  Is  a  unique  pointer  p'  which  is  the  value  in  p  of  the 


output  entries  of  C  Defs.  6 . 3-2+4 . 2-6 

(3)  Otherwise,  there  is  a  unique  p'  which  is  not  the  value  of  the  output 
entries  of  a  Copy  execution  in  p  such  that  (p,a)p(p' ,p) Const.  5.1-5 
(A)  There  is  a  unique  p'  such  that  p’  -  F(p)  (l)+(2)+(3) 

(5)  Let  p^  and  p2  be  any  two  pointers  for  which  F(p)  is  defined.  One  of 

the  pointers,  say  p^,  is  the  value  in  a  of  the  output  entries  of  a 
Copy  execution  and  p2  is  not  the  value  of  the  output  entries  in  a 
of  a  Copy  execution  a  F(p^)  is  the  value  of  the  output  entries  of 
a  Copy  execution  in  p,  F(p2>  is  not,  and  (p2,a) p(F(p2> ,p)Def .  6.3-7 

(6)  »  F(p2>  is  the  value  in  p  of  the  output  entries  of  an  execution 

which  either  is  in  IE  or  is  a  Select  execution  which  is  in  no 
reach  in  p  Def.  5.1-10 

(7)  -  F(Pl)  *  F(p2)  (5)+Const.  5.1-7 

(8)  p?  and  p2  are  the  values  in  a  of  the  output  entries  of  Copy 

executions  C^  and  C2  respectively  a  for  i*l,2,  F(p^)  is  the  value 
in  P  of  the  output  entries  of  C^  Def.  6.3-7 

(9)  *  [Cj  #  C2  »  F(pj)  *  F(p2)]  Const.  5.1-7 

(10)  -  [F(Pl)  -  F(p2)  -  Cx  -  C2  -  P]L  -  p2J  Def.  4.2-6 

(11)  Neither  p2  nor  p2  is  the  value  in  a  of  the  output  entries  of  a  Copy 

execution  a  neither  F(p^)  nor  F(p2)  is  the  value  in  p  of  the 

output  entries  of  a  Copy  execution,  (p^,a)p(F(p1) ,p) ,  and 
(p2,a)p(F(p2),p)  Def.  6.3-7 

(12)  a  (F(pj)  -  F(p2)  »  P2  ■  P21  Const.  5.1-5 

(13)  F(Pj)  -  F(p2)  -  Pl  -  p2  (5)+(7)+(8)+(10)+(ll)+(12) 


.vVf- 
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(14)  F  •  F  Q  is  one-to-one  over  the  set  of  pointers  over  which  it  is 

a,p 

defined  <5)+(13) 

Now  prove  the  second  part  of  the  theorea  by  contradiction.  Assume 

(15)  p  is  PE-inclusive  of  a  under  Ft  but  there  is  a  pointer  p  which  is 

the  value  of  an  entry  in  a  and  it  is  not  true  that  (p,a)p(F(p) ,p) 

(16)  There  is  a  prefix  yf  of  a  such  that,  for  every  pointer  q  which  is 

the  value  of  an  entry  in  y,  (q,a)p(F(q)  ,p)  ,  but  for  p  -  V(f),  it 

is  not  true  that  (p,a) p(F(p) ,p)  (15) 

(17)  F(p)  is  defined,  and  there  is  an  entry  in  p  which  is  an  output 

entry  of  the  same  execution  as  f  and  has  value  F(p)  (15)+Def.  6.3-4 

(18)  p  is  not  the  value  of  the  output  entries  in  a  of  a  Copy  execution 

-  (p.a)p(F(p),p)  (17)+(1) 

(19)  p  is  the  value  of  the  output  entries  in  a  of  a  Copy  execution  C 

(18) +(16) 


(20)  f  is  the  first  entry  in  a  with  value  p  (16) 

(21)  f  is  an  output  entry  of  C  (19)+(20)+Lemma  5.3-8 

(22)  Enta(C,l)  is  in  y  (21)+Oef.  4.2-7 

(23)  Let  q  be  V(Ent  (C,l)).  Then  V(EntQ(C,l))  is  F(q)  (15)+Def.  6.3-4 

a  p 

(24)  (q,a)p(F(q),p)  (23)+(22)+(16) 

(25)  q*p  and  since  F  is  one-to-one,  F(q)*F(p)  (23)+(22)+(20)+(16)+(14) 

(26)  DD  (q,p)  and  DDfl(F(q) ,F(p))  (23)+(21)+(20)+(17)+Def .  5.1-9 

(27)  (p,a)p(F(q),p)  (24)+(25)+(26)-H)ef .  5.1-10 

(28)  (p,a)p(F(p) ,p)  (27)+(25)+(26)+Def.  5.1-10 

Since  (15)  leads  to  a  contradiction  between  (16)  and  (28) ,  (15)  is  false. 


Thus  the  second  part  of  the  theorem  is  proven. 

A 


c 
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With  these  preliminary  results,  the  three  parts  of  the  induction  step 
in  the  equivalence  proof  are  now  presented  as  separate  lemmas. 

Lemma  6.3-1  Given  an  expansion  (Int,J),  where  Int  ■  (St,  /, IE),  which 
satisfies  the  first  four  Determinacy  Axioms,  let  af  and  p  be  any  two 
computations  in  any  job  J €*/  such  that  [3  is  transfer-inclusive  of  af.  If 
B  is  Inclusive  of  a  under  the  natural  pointer  correspondence  F  *  F  , 

'  *  d,p 

then  p  is  NPE-inclusive  of  af. 


Proof : 

(1)  Let  s  »  Src(e,i)  be  the  source  in  T(f).  Then  v  *  V(f)  is  the  value 

of  s  in  af  Def.  4.2-6 

(2)  There  is  an  entry  g  in  p  with  T(g)  -  T(f)  Def.  6.3-2 

(3)  V(g)  is  the  value  of  s  in  p  (l)+(2)+Def.  4.2-6 

(4)  e€IE  =»  V(f )  in  af  is  not  a  pointer  iff  V(g)  in  p  is  not  a  pointer, 

and  if  they  are  not  pointers,  they  are  the  same  (l)+(3)+Ax.  6.2-4 

(5)  J  is  a  job  for  Int  Def.  4.2-2 

(6)  a,  af,  and  p  are  all  causal  computations  for  Int 

(S)-f Axioms  6 . 2-2+6 . 2-1+Def .  4.2-3 

(7)  e  is  initiated  in  a  (l)+(6)+Def .  4.2-7 

(8)  Letting  e  ■  Ex(d,k),  there  are  In(/(d))  input  entries  to  e  in  a 

(6)+(7)+Oef.  4.2-6 

(9)  There  are  at  most  In(/(d))  input  entries  to  e  in  af  and  in  p 

(7)+Def.  4.2-6 

(10)  For  any  j,  there  is  an  entry  Ent(e,j)  in  a  iff  there  is  an  entry 
Ent(e,j)  in  p,  and  if  so,  those  entries  have  the  same  transfer 


(8)+(9)+Defs.  4. 2-6+6. 3-2 


(11)  For  every  j,  there  is  an  Ent(e,j)  in  af  iff  there  is  an  Ent(e,j)  in 
P,  and  if  so,  their  values  are  either  both  pointers  or  both  the 


same  non-pointer  (8)+(9)+(10)+Defs.  6. 3-6+6. 3-3 

(12)  /(d)  is  a  pi  operation  «»  there  is  a  j  such  that,  in  all  computations 

in  which  e  has  the  same  set  of  non-polnter-valued  input  entries 
as  in  af,  the  value  of  the  output  entries  of  e  equals  V(Ent(e,j)) 
in  that  computation  Def.  5.1-2 

(13)  •  V(f)  -  V(Entaf(e,j))  and  V(g)  -  V(Entp(e,j))  (ll)+(l)+(3) 

(14)  =»  V(f)  is  not  a  pointer  iff  V(g)  is  not  a  pointer,  and  If  they  are 

not  pointers,  then  they  are  the  same  (11) 

(15)  e  is  not  in  IE  and  /(d)  is  not  a  pi  or  a  structure  operation  =»  /(d) 

is  a  deterministic  action  Ax.  6.2-3 

(16)  a  e's  input  and  output  entries  have  non-pointer  values  Const.  5.1-1 

(17)  *»  for  every  j,  V(Entaf(e, j))  =  V(Entp(e,j))  (11) 

(18)  =>  V(g)  and  V(f)  are  equal  non-pointers  (ll)+(15)+(16)+Def .  6.2-1 

(19)  For  any  structure  operation  execution  e'  initiated  before  the  last 

entry  in  af,  l.e.,  in  a,  and  any  Assign,  Update,  or  Delete 
execution  A,  e’  is  in  reach  R(A)  in  fi  iff  e'€R(A)  in  a 

Defs.  6. 3-3+6. 3-5 

(20)  iff  e’ €R(A)  in  af  (6)+(7)+Cor.  6.3-1 

(21)  If  there  is  an  Ent(A,2)  In  af,  its  value  is  not  a  pointer 

(19)+Const.  5.1-1 

(22)  e’  €R(A)  in  af  ■*  e'€R(A)  in  a  =»  A  is  initiated  in  a 

(19)+(20)+(6)+(7)+Lemma  5.3-8 

(23)  -  V(Entaf(A,2))  -  V(Entp(A,2)) 


ml 


(7)-(ll)+-(21) 
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(24)  /(d)  Is  a  structure  operation  ■*  Ent  (e,l)  and  Ent0(e,l)  are  both 

a  p 

pointer-valued,  and  have  the  same  transfer,  and  if  /(d)  is 
anything  but  Fetch,  First,  or  Copy,  e  has  the  same  non-pointer 
selector  input  in  of  and  (3  (10)+(ll)+Const.  5.1-1 

(25)  *»  for  p  -  V(Entflf (e,l))  -  V(Enta(e,l))  and  p'  *  V(Entp(e,l) ) , 

F(p)  is  defined  and  equal  to  p'  Defs.  6. 3-6+6. 3-4 

(26)  =»  (p,a)p(p',p)  (6)+Def.  6.3-6+Thm.  6.3-1 

(27)  =>  (p,af)p(p',p)  (6)+(19)+(20)+Lemna  5.3-10 

(28)  /(d)  is  a  First  or  Next  »  e  is  in  the  reach  of  an  Update  (Delete) 
execution  with  selector  input  s  in  af  iff  e  is  in  the  reach  of  an 
Update  (Delete)  execution  with  selector  input  s  in  p 

(7)+(19)+(20)+(22)+(23) 

(29)  =»  for  i«l,2,  Src(e,i)  has  the  same  value  in  af  as  in  p 

(6)+(24)+(25)+(27)+Const.  5.1-6 

(30)  =»  V(f)  -  V(g)  (l)+(3) 

(31)  /(d)  is  an  Assign,  Update,  or  Delete  and  i  -  1  =>  [e  is  in  a  reach 

in  af  =»  V(f)  *  V(g)  -  0]  (l)+(3)+Consts.  5. 1-3+5. 1-4 

(32)  a  [e  is  not  in  a  reach  in  af  =»  V(f)  ■  V(g)] 

(6)+(24)+(25)+(27)+(l)+(3)+Const.  5.1-5 

(33)  /(d)  is  a  Fetch  or  Assign  and  e€R(A)  in  af  =»  e€R(A)  in  p 

(7)+(19)+(20) 

(34)  *»  letting  v  be  V(Enta^(A,2))  ■  V(Entp(A,2)) ,  [i  *  1  and  /(d)  is 

Fetch  =»  V(f)  -  V(g)  -  v]  A  [i  -  2  =>  V(f)  -  V(g)  -  (v*nil)  1 

(22)+(23)+Const.  5.1-3 

(35)  /(d)  is  Fetch  or  Assign  and  e  is  in  no  reach  in  af  =>  V(g)  ■  V(f) 


(6)+(24)+(25)+(27)+(l)+(3)+Const.  5.1-5 
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(36)  /(d)  is  Select,  Update,  or  Delete  and  i  ■  2  =»  [e  is  in  the  reach 

of  an  Update  in  of  =*  e  is  in  the  reach  of  an  Update  in  a  *» 

V(f)  -  V(g)  ■  true]  A  [e  is  in  the  reach  of  a  Delete  in  of  =* 

V(f)  -  V(g)  -  false]  (7)+(19)+(20)+Const.  5.1-4 

(37)  a  [e  is  in  no  reach  in  af  =»  V(f)  *  V(g)] 

(6)+(24)+(25)+(27)+(l)+(3)+Const.  5.1-5 

(38)  /(d)  is  a  Select  and  i  ■  1,  or  /(d)  is  a  Copy  »  V(f)  and  V(g)  are 

pointers  Const.  5.1-1 

(39)  V(f)  is  not  a  pointer  iff  V(g)  is  not  a  pointer,  and  if  they  are 

not  pointers,  they  are  the  same  (4)+(12)+(14)+(15)+(18)+(28)-(38) 

(40)  p  is  NPE-inclusive  of  af  (39)+Def.  6.3-3 

A 

Lemma  6.3-2  Given  an  expansion  (Int,«/),  where  Int  *  (St,/,IE),  which 

satisfies  the  first  four  Determinacy  Axioms,  let  af  and  p  be  any  two 

computations  in  any  Jf J such  that p is  transfer-inclusive  of  af.  If  p  is 

Inclusive  of  a  under  the  natural  pointer  correspondence  F  _,  then  p  is 

a,p 

PE- inclusive  of  af  under  F  r  „. 


Proof:  Abbreviate  F  „  as  F  and  F  ,  „  as  F' . 

-  a,p  af ,p 

(1)  Let  s  -  Src(e,i)  be  the  source  in  T(f).  Then  V(f)  is  the  value  of 

8  in  af  Def.  4.2-6 

(2)  There  is  an  entry  g  in  p  with  T(g)  ■  T(f)  Def.  6.3-2 

(3)  V(g)  is  the  value  of  s  in  p  (l)+(2)+Def.  4.2-6 

(4)  J  is  a  Job  for  Int  Def.  4.2-2 

(5)  a,  af,  and  p  are  all  causal  computations  for  Int 

(4)+Axioms  6 . 2-1+6 . 2-2+Def .  4.2-3 

(6)  •  is  Initiated  in  a  (l)+(5)+Def .  4.2-7 


i 
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(7)  Letting  e  -  Ex(d,k),  there  are  exactly  In(/(d))  input  entries  to 

e  in  a,  and  at  most  ln(/(d))  input  entries  to  e  in  af  and  in  (3 

(5)4(6)4Def.  4.2-6 

(8)  For  any  j,  there  is  an  entry  Ent(e,j)  in  a  iff  there  is  an  entry 

Ent(e,J)  in  (3,  and  if  so,  those  entries  have  the  same  transfer 

(7)4Defs.  4.2-646.3-2 

(9)  For  every  j,  there  is  an  Ent(e,j)  in  af  iff  there  is  an  Ent(e,j)  in 

p,  and  if  so,  their  values  are  either  both  pointers  or  both  the 
same  non-pointer  (8)4Defs.  6.3-646.3-3 

(10)  /(d)  is  a  pi  operation  =*  there  is  a  j  such  that,  in  all  computations 

in  which  e  has  the  same  set  of  non-pointer-valued  input  entries 
as  in  af,  the  value  of  the  output  entries  of  e  equals  V(Ent(e,j)) 

In  that  computation  Def.  5.1-2 

(11)  •  V(f )  -  V(Entaf(e,j))  and  V(g)  -  V(Entp(e,j))  (9)4(1)4(3) 

(12)  For  every  h  in  af  and  k  In  {3  such  that  T(k)  ■  T(h) ,  V(k)  is  a 

pointer  iff  V(h)  is  a  pointer  Lemma  6.3-l4Def.  6.3-3 

(13)  and  if  h  is  in  a,  and  those  values  are  pointers,  then  F(V(h))  is 

defined  and  equal  to  V(k)  Defs.  6.3-646.3-4 

(14)  For  each  pointer  r  which  is  the  value  of  an  entry  in  a,  r  is  the 

value  in  a  of  the  output  entries  of  a  Copy  execution  C  «*  r  is  the 
value  in  af  of  the  output  entries  of  C  and  F(r)  is  the  value  in  p 
of  the  output  entries  of  C  =»  F' (r)  is  the  value  in  p  of  the  output 
entries  of  C  •  F'(r)  -  F(r)  Def.  6.3-7 

(15)  r  is  the  value  of  an  output  entry  of  a  Copy  execution  in  af  •  the 

first  entry  with  a  value  of  r  in  af,  which  is  in  a,  is  an  output 
entry  of  C  (5)4(14)4Len«»a  5.3-8 
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(16) 


(17) 

(18) 


(19) 

(20) 
(21) 
(22) 

(23) 

(24) 

(25) 

(26) 

(27) 

(28) 

(29) 

(30) 

(31) 


For  any  structure  operation  execution  e'  Initiated  In  a,  and  for 
any  Assign,  Update,  or  Delete  execution  A,  e*€R(A)  in  p  iff 
e'fR(A)  in  a  Defs.  6. 3-6+6. 3-5 

iff  e*€R(A)  in  af  (5)+(6)+Cor.  6.3-1 

r  is  not  the  value  in  a  of  the  output  entries  of  a  Copy  execution 
=»  F(r)  *  r',  where  r'  is  not  the  value  in  p  of  the  output  entries 
of  a  Copy  execution  and  (r,a)p(r',p)  (13)+Def.  6.3-7 

a  r  is  not  the  value  of  an  output  entry  of  a  Copy  execution  in  af 

(15) 

=»  (r.af)p(r'  ,p)  (5)+(16)+(17)+Lemma  5.3-10 

-  F* (r)  -  r'  -  F(r)  (19)+(18)+Def .  6.3-7 

Assume  V(f)  is  a  pointer  p.  Then  V(g)  is  a  pointer  p'  (12)+(2) 

e  either  is  in  IE  or  is  a  pi  execution,  a  Copy,  or  a  Select 
execution  (22)+(l)+Const.  5.1-1 

e€IE  =»  there  is  a  source  s  ■  Src(e,i)  such  that  p  (p')  is  the 
value  of  s  in  af  (p)  (l)+(3)+(22) 

•  (p.af)p(p' ,p)  Def.  5.1-10 

A  p  (p')  is  not  the  value  of  the  output  entries  of  a  Copy  execution 

in  af  (p)  Const.  5.1-7 

•  p'  -  F’(p)  Def.  6.3-7 

e  is  a  Copy  execution  «►  p  (pr)  is  the  value  of  the  output  entries 

of  a  Copy  execution  C  In  af  (p)  (l)+(3)+(22) 

•  p*  ■  F’(p)  Def.  6.3-7 


e  Is  a  pi  execution  •  3 j :  V(f)  -  V(Ent  ,(e,J))  -  p  and 

at 

v(g)  -  V(Entp(e,j))  -  p’ 


Ent  ,(e,J)  Is  In  a 


(10)+(ll)+(22) 

(7) 


(8)+(12)+(13)+(30)+(31) 


(32) 

(33) 

(34) 

(35) 

(36) 

(37) 

(38) 

(39) 

(40) 

(41) 

(42) 

(43) 

(44) 

(45) 

(46) 

(47) 
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e  Is  a  pi  execution  *»  p*  «■  F(p) 
e  Is  a  Select  execution  which  Is  In  a  reach  in  of  ■»  e  is  In  the 
reach  of  an  Update  execution  U  in  af  (22)4Const.  5.1-4 

»  e  is  in  the  reach  of  U  in  {3  (6)+(16)+(17) 

A  U  is  initiated  before  e,  i.e.,  in  a  (5)+(6)+L,emma  5.3-8 

=»  P  -  V(f)  -  V(Entaf(U,3))  Ap'  ■  V(g)  -  V(Entp(U,3)) 

(33)+(34)+(l)+(3)+Const.  5.1-4 
A  Enta^(U,3)  is  in  a  Def.  4.2-6 

=»  p'  *  F(p) 


e  is  a  Select  execution  which  is  in  no  reach  in  if  4  e  is  a 
Select  execution  which  is  in  no  reach  in  P  (6)+(16)+(17) 

A  V(Entaf (e,2))  and  V(Entp(e,2))  are  not  pointers  and  so  are 
the  same  (9)+Const.  5.1-1 

A  letting  q  -  V(EntQf (e,l))  and  q'  «*  V(Entp(e,l)) ,  F(q)  is  defined 
and  equal  to  q'  (6)+(7)+(ll)+(12) 

-  (q.a)p(q'.P)  (5)+(7)+Def.  6.3-6+Thm.  6.3-1 

«•  (q,af)p(q',p)  (5)+(16)+(17)+Lenma  5.3-10 

■»  (p,af)p(p',P)  (22)+(l)+(3)+(39)+(40)+(41)+Def.  5.1-10 

A  p  (p*)  Is  not  the  value  of  the  output  entries  of  a  Copy  execution 


in  of  (p)  (22)+(l)+(3)+(39)+Const.  5.1-7 
•  p'  ■  F'(p)  Def.  6.3-7 
P*  -  F*(p) 


(23)+(24)+(27)+(28)+(29)+(39)+(46)+(32)+(33)+(38)9-(14)+(18)+(21) 
(48)  0  is  PE-inclusive  of  af  under  F'  (12)+(13)+(22)+(47)-H>ef .  6.3-4 
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Lenma  6.3-3  Given  an  expansion  (Int,J),  where  Int  *  (St,/, IE),  which 
satisfies  the  first  four  Determinacy  Axioms,  let  af  and  p  be  any  two 
computations  in  any  J £J  such  that  p  is  transfer-inclusive  of  af.  If 

a.  p  is  NPE-inclusive  of  af, 

b.  p  is  PE-inclusive  of  af  under  natural  pointer  correspondence 

c.  p  is  reach- Inclusive  of  a,  and 

d.  p  preserves  the  order  of  dependent  accesses  of  af, 
then  p  is  reach-inclusive  of  af. 


Proof:  Abbreviate  F  ,  „  as  F. 

-  af  ,p 

(1)  J  is  a  job  for  Int  Def.  4.2-2 

(2)  af  and  p  are  causal  computations  for  Int  (1)+Ax.  6.2-1+Def.  4.2-3 

(3)  For  every  structure  operation  execution  e  initiated  in  a,  and  for 

any  Assign,  Update,  or  Delete  execution  A,  e  is  in  reach  R(A)  in 
a  iff  e  is  in  R(A)  in  p  Def.  6.3-5 


(4)  and  e  is  in  R(A)  in  a  iff  e  is  in  R(A)  in  af  (2)+Cor.  6.3-1 

(5)  If  f  does  not  initiate  a  structure  operation  execution,  then  for 

every  structure  operation  execution  e  initiated  in  af,  e  is 
initiated  in  a  Def.  4.2-6 

(6)  »  e  is  in  R(A)  in  af  iff  e  is  in  R(A)  in  p  (3)+(4) 

(7)  For  any  structure  operation  execution  e  ■  Ex(d,k)  initiated  in  af, 

there  ere  In(/(d))  input  entries  to  e  in  af  Def.  4.2-6 


(8) 

(9) 

(10) 

(11) 


and  e  is  initiated  in  p 


Defs.  6 . 3-2+4 . 2-6 
Const.  5.1-1 
(5)+Def.  6.3-3 

Assusm  f  Initiates  a  structure  operation  execution  e  *  Ex(d,k) 


In(/(d))  >  1  •  V(EntQf (e,2))  is  not  a  pointer 
-  V(Entp (e,2))  -  V(Entaf (e,2)) 
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in  af.  For  any  Assigns  Update,  or  Delete  execution  A,  e€R(A)  in 
af  »  A  is  initiated  beforb,  e,  i.e.,  in  a  ■ 


V(Entaf(e,2))  -  V(Entp(e,2)) 


(2)+(7)+(9)+(10)+Lenma  5.3-8 


(12)  e  is  in  R(A)  in  af  iff  e  and  A  arh  executions  of  one  of  a  few 

prescribed  combinations  of  operation ,  [A  is  an  Update  or  Delete  A 
e  is  a  Select,  Update,  or  Delete  =»  V(lb»t  ,(e,2))  *  V(Ent  _(A,2))], 


and  Ent  ,(e,l)  is  in  duration  D(A)  in  af 
at 


Def s .  5 . 1-6+5 . 1-8 


(13)  If  A  is  an  Update  or  Delete  and  e  is  a  Select  ^sUpdate,  or  Delete, 
then  e€R(A)  in  af  -  V(EntQf (e,2))  -  V(Entaf (A,2y)  iff 


V(Entp(e,2))  -  V(Entp(A,2)) 


(ll)V(7)+(9)+(10)+(8) 


(14)  For  every  structure  operation  execution  A  initiated  in  af  and  every 

pointer  p,  Ent  C(A,1)  is  in  Haf  iff  V(Ent  _(A,1))  -  p\  Def.  5.1-4 
at  p  at  ' 

(15)  iff  A  is  initiated  in  p  and  V(Entp(A,l))  *  F(p)  (7)+(8)+Def.  6.3-4 

(16)  iff  Entp(A.l)  is  in  l^ef.  5.1-4 

(17)  For  any  pointer  p  and  any  computation  w,  denote  by  APS(p,aj)\i 


sequence  of  the  entries  in  the  set  (Ent (A,l) |  A  is  an  Assign), 


arranged  in  the  same  relative  order  as  they  appear  in  H^.  The^ 
every  entry  in  APS(p,af)  is  in  APS(F(p),p)  (14)+(16)+Def .  5.\l-4 
Now  prove  the  following: 

A:  For  any  p  and  for  any  i  less  than  or  equal  to  the  length  of  APS(p,af), 
the  l**1  element  in  the  sequence  APS(p,af)  is  EntQ^(A,l)  iff  the  i^1 
element  in  APS(F(p),p)  is  Entg(A,l). 

Proof  is  by  Induction  on  1. 

Basis:  1*1. 

(18)  Let  Enta^(A,l)  be  the  first  element  in  APS(p,af).  Entp(A,l)  is 

not  the  first  element  in  APS(F(p),p)  •  it  is  the  J**1,  j  >  1  (17) 
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(19)  -  letting  Entp(AM)  be  the  j-l8t  eleaent  In  APS(F(p),p),  there  Is 
no  Assign  execution  Input  entry  between  Ent_(A',l)  and  Ent  (A,l) 


ln  "f (p) 

(20)  «  Entp(A.l)  Is  in  the  duration  D(A')  In  p 

(21)  -  A  is  in  R(A')  in  p 

(22)  m  A'  initiates  before  A  in  af 

(23)  -  Ent  ,(A\1)  is  in  Haf 

at  p 

(24)  •»  Ent  -(A',1)  precedes  Ent  r(A,l)  in  Ha* 

ar  cut  p 


Def.  5.1-5 
Def .  5.1-6 
(19)+Def.  6.3-1 
(19)+(14)+(16) 
(22)+(18)-H>ef.  5.1-4 


(25)  =•  EntQj(A,l)  is  not  the  first  element  in  APS(p,af)  (] 

(26)  Entp(A.l)  is  the  first  element  in  APS(F(p),p)  (18)+(25) 

Induction  step:  Assume  that  for  some  n  >  0,  for  all  i  <  n,  Ent  .(A,l) 
is  the  1th  element  of  APS(p.af)  iff  E*ltp(A,l)  is  the  1th  element  of 
APS(F(p) ,p) .  Consider  A  such  that 

(27)  Ent^(A,l)  is  the  iH-lst  element  of  APS(p.af) 

(28)  3j :  Entp (A,l)  is  the  jth  element  of  APS(F(p),p)  (] 

(29)  J  <  n  *»  Ent^fA.l)  is  the  j**1  element  of  APS(p,af)  ind.  hj 

(30)  J  >  n  (27)+(3 


ind.  hyp. 
(27)+(29) 


(31)  Let  A*  be  such  that  Entp (A' ,1)  is  the  j-l8t  element  of  APS(F(p),p). 


Then  EntQf(A',l)  precedes  Entaj(A,l)  in  APS(p,af) 


(19)-(24) 


(32)  Entaf(A\l)  is  the  k  element  in  APS(p.af)  for  k  <  n  (31)+(27) 

(33)  Ent. (A* ,1)  is  the  k1*1  element  in  APS(F(p),p)  (32)+ind.  hyp. 


(33)  Entp (A’, 1)  is  the  k  element  in  APS(F(p),p)  (32)+ind.  hyp 

(34)  J-l  <  n;  i.e.f  J  <  n+1  (31>+(33)+(32) 

(35)  Entp (A, 1)  is  the  n+l8t  element  of  APS(F(p),p)  (28)+(30)+(34) 

Thus  A  is  proven  by  induction.  For  any  structure  operation  execution  a 


initiated  in  af,  and  any  Assign  execution  A,  there  are  three  cases. 


/. 
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Case  I:  e  is  in  R(A)  in  af,  Ent  ,(e,l)  Is  In  the  duration  D(A)  in  af,  and 

at 

Ent  _(e,l)  and  Ent  .(A,l)  are  in  the  same  access  history  Ha^. 
at  at  p 

(36)  e  and  A  are  executions  of  one  of  the  right  combinations  of 

operations,  and  if  A  is  an  Update  or  Delete  and  e  is  a  Select, 


Update,  or  Delete,  then  V(Ent  (e,2))  ■  V(Ent0(A,2) ) 

P  P 

(37)  Entp(e,l)  and  Entp(A,l)  are  both  in 


(12)+(13) 

(11)+(14)+(16) 


(38)  Letting  1  be  such  that  Ent  ,(A,1)  is  the  1  element  of  APS(p,af), 

af 

Ent  ,(e,l)  follows  Ent  r(A,l)  in  Ha^,  but  does  not  follow  in  Ha* 
af  af  p  ’  p 


the  1+1  element  of  APS(p,af) 

(39)  A  initiates  before  e  in  a 

(40)  Entp(e,l)  follows  Entp(A,l)  in 

(41)  Ent  (A,l)  is  the  1th  element  of  APS(F(p),B) 

P 


(ll)+(17)+Def.  5.1-5 


Def.  6.3-1 


(37)+(39)+Def.  5.1-4 
(38)+A 


(42)  ej(R(A)  in  p  =»  there  is  an  Assign  execution  A'M  such  that  Entp(e,l) 

is  in  D(A')  in  p  and  e€R(A')  in  p  (36)+(40)-H)ef .  5.1-6 

(43)  =»  Ent  (A',1)  is  between  Enta(A,l)  and  Ent_(e,l)  in  .  Def.  5.1-5 

p  p  p  rtP7 


(44)  a  A'  initiates  before  e  in  af 


(ll)+Def.  6.3-1 


(45)  =>>  Ent  .(A',1)  precedes  Ent  ,(e,l)  in  H  (43)+(14)+(16)+Def .  5.1-4 

at  at  p 

(46)  »  EntQj(A' ,1)  is  the  j**1  element  of  APS(p,af)  for  j  <  i  (38)+(42) 

a  th 

(47)  »  EntQ(A',l)  is  the  j  element  of  APS(F(p),p)  and  j  <  i  (38)+A 

P 


(48)  »Entp(A' ,1)  precedes  Ent^(A,l)  in 

(49)  e€R(A)  in  p 


(40)+(41)+(17) 

(42)+(43)+(48) 


Case  II:  eCR(A)  and  Ent  ,(e,l)fD(A)  in  af,  Ent  ,(e,l)  is  in  Ha  ,  but 

at  at  p 

Ent  >(A,1)  is  not  in  Haf. 
at  p 

(50)  e  and  A  are  executions  of  one  of  the  right  combinations  of 

operations,  and  if  A  is  an  Update  or  Delete  and  e  is  a  Select, 


Update,  or  Delete,  then  V(Ent  (e,2))  ■  V(Ent  (A, 2)) 

P  P 


(12)+(13) 


TSfr*9  '-VSn 


Entaf(C,l)  is  in  D(A)  in  af 


(51)  Entp(e.l)  is  in  H^p),  but  Ent^A.l)  is  not  (11)+(14)+(16) 

(52)  Ent^(e,l)  precedes  in  the  first  element  of  APS(p,af),  p  is  the 

value  of  the  output  entries  of  some  Copy  execution  C  in  af,  and 

(17)+Def.  5.1-5 

(53)  C  is  in  R(A)  in  af  (52)+Def.  5.1-6 

(54)  Enta^(e,l)  has  value  p  and  is  in  af  Def.  5.1-4 

(55)  There  is  an  entry  in  af  which  is  an  output  entry  of  C 

(2)+(54)+(52)+Lensna  5.3-8 

(56)  C's  initiating  entry  precedes  that  entry,  i.e.,  C  is  initiated  in  a 

(55)+(2)+Def.  4.2-7 

(57)  C  is  in  R(A)  in  P  (53)+(56)+Def .  6.3-5 

(58)  Entp(C.l)  is  in  D(A)  in  P  (57)+Def.  5.1-6 

(59)  F(p)  Is  the  value  of  the  output  entries  of  C  in  P  (52)+Def.  6.3-7 

(60)  e/fR(A)  in  p  =»  There  ia  some  entry  in  APS(F(p),P)  which  precedes 

Entp(e.l)  in  H^(p)  (50)+(51)+(59)+(58)+(17)+Def .  5.1-5 

(61)  =»  There  is  some  A*  such  that  Entp(A' ,1) 6APS(F(p) ,P)  and  Entp(e,l) 

is  in  D(A’)  in  p  (17)+Def.  5.1-5 

(62)  -  eCR(A’)  in  P  (50)+Def.  5.1-6 

Def.  6.3-1 


(63)  »  A'  initiates  before  e  in  af 

(64)  -  Entaf(A',l)  is  in  Hpf 


(60)+(14)+(16) 

(65)  •  Ent„,(A',l),  which  is  in  APS(p,af),  precedes  Ent_.(e,l)  in  H° 

at  at  p 

(17)+(63)+Def.  5.1-4 

(66)  e«(A)  in  p  C60)+(65)+(52) 


Case  III:  There  is  no  Assign  execution  A  such  that  efR(A)  in  af.  Prove 
that  there  is  no  Assign  execution  A  such  that  e€R(A)  in  P  by  contradiction. 
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(67)  Assume  there  is  an  Assign  execution  A  such  that  e€R(A)  in  p 

(68)  e  and  A  are  executions  of  one  of  the  proper  combinations  of  opera¬ 

tions,  if  A  is  an  Update  or  Delete  and  e  is  a  Select,  Update,  or 

Delete,  then  V(Ent  (e,2))  -  V(Ent  (A, 2)),  and  Ent.(e,l) €D(A)  in  B 
P  P  P 

Def.  5.1-6 

(69)  If  A  is  an  Update  or  Delete  and  e  is  a  Select,  Update,  or  Delete, 

then  V(EntQf(e,2))  -  V(Entaf (A, 2))  (13) 

(70)  Entaf(e,l)«D(A)  in  af  =»  efR(A)  (68)+(69)+Def .  5.1-6 

(71)  Entaf(e,l)*D(A)  in  af  (70) 

(72)  There  is  a  pointer  p  such  that  Ent  e(e,l)  precedes  in  H0^  the  first 

at  p 

element  of  APS(p.af),  and  either  p  is  not  the  value  in  af  of  the 
output  entries  of  a  Copy  execution,  or  p  is  the  value  in  af  of  the 
output  entries  of  a  Copy  execution  C,  but  Entaf(C,l)  is  not  in 
D(A)  in  af  (17)+(71)+Def .  5.1-5 


(73)  There  is  some  entry  in  APS(F(p),p)  which  precedes  Ent  (e,l)  in 

P 

=»  there  is  some  A'  such  that  Ent^(A',l)  is  in  APS(p.af) 


and  precedes  Ent  r(e,l)  in  H 
at  p 


,af 


(69)+(60)+(65) 

P 


(74)  There  is  no  entry  in  APS(F(p),p)  which  precedes  Entp(e,l)  in 

(73)+(72) 

(75)  F(p)  is  the  value  of  the  output  entries  of  a  Copy  execution  C  in  p 

iff  p  is  the  value  of  the  output  entries  of  C  in  af  Def.  6.3-7 

(76)  p  is  not  the  value  of  the  output  entries  of  a  Copy  execution  in  af 

*  F(p)  is  not  the  value  of  the  output  entries  of  a  Copy  execution 
in  p  (75) 

(77 ;  p  is  the  value  of  the  output  entries  of  a  Copy  execution  C  in  af 
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and  Ent0(C,l)  la  In  0(A)  in  8  •  C  li  Initiated  in  a  (72)+(54)-(56) 
P 

(78)  A  C  is  in  R(A)  in  p  Def.  5.1-6 

(79)  •  C  is  in  R(A)  in  of  Def.  6.3-5 

Def.  5.1-6 

(81)  p  is  the  value  of  the  output  entries  of  Copy  execution  C,  but 


(80)  »  Ent  c(C,l)  is  in  D(A)  in  of 
at 


Ent  ,(C,1)  is  not  in  D(A)  in  af  =»  F(p)  is  the  value  of  the  output 
at 


entries  of  C  in  p 

(82)  a  Ent  (C,l)  is  not  in  D(A)  in  B 

P 


(75) 

(77)+(80) 


(83)  Ent  (e,l)  is  not  in  D(A)  in  p  (72)+(74)+(76)+(81)+(82)+Def .  5.1-5 

P 

Since  (67)  implies  a  contradiction  between  (68)  and  (83),  (67)  is  false. 

(84)  There  is  no  Assign  execution  A  such  that  e€R(A)  in  p 

(85)  If  f  initiates  a  structure  operation  execution  e  in  af,  then  for 

any  Assign  execution  A,  e€R(A)  in  af  iff  e€R(A)  in  p  (49)+(66)+(84) 
Replacing  "Assign  execution  A"  with  "Update  or  Delete  execution  A  with 
V(Ent(A,2))  “  V(Ent(e,2))"  in  (17)  through  (85)  yields  a  proof  of 

(86)  For  any  Update  or  Delete  execution  A,  efR(A)  in  af  iff  e£R(A)  in  p 

(87)  p  is  reach-inclusive  of  af  (5)+(6)+(ll)+(85)+(86)+Def .  6.3-5 

A 

Now  the  framework  of  the  induction  is  easily  built  on  these  three 
lemmas,  to  complete  the  proof  of  the  basic  requirements  for  equivalence. 


Theorem  6.3-2  Given  an  expansion  (Int ,J)  which  satisfies  the  first  four 
Determlnacy  Axioms,  let  co^  and  be  any  two  computations  in  any  job  J$J. 

If  «2  *s  transfer-congruent  to  and  preserves  the  order  of  dependent 

accesses  of  co^,  then  is  equivalent  to  co^ . 
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Proof:  First  prove,  by  induction  on  the  lengths  of  the  prefixes  of 
that  ^2  Is  inclusive  of  ^  under  the  natural  pointer  correspondence 
F  ■  F  .  Induction  hypothesis  is  that  co  is  inclusive  of  a  prefix  a 

a>£,a>2  2 

of  co-  under  F„ 

1  a.av. 

Basis:  |a|  -  0 

(1)  There  are  no  entries  in  a,  so  that  there  are  no  executions  of 


structure  operations  initiated  in  a 
(2)  oo^  is  vacuously  inclusive  of  a 


Def.  4.2-6 


(1)+Defs.  6.3-2-+6.3-6 


Induction  step:  Assume  that  oo^  is  inclusive  of  the  length-n  prefix  a  of 

00,  under  F  ,  and  consider  the  length-n+1  prefix  af  of  u,  . 

1  a,oo2  1 

(3)  J  is  a  job  for  Int  Def.  4.2-2 

(4)  ooj^,  a»  and  are  a^  causal  computations  for  Int  and  are  all 

in  J  (3)+Axioms  6. 2-1+6 .2-2+Def .  4.2-3 


(5)  oo^  is  transfer-inclusive  of  co^,  hence  of  af 

(6)  oo^  is  inclusive  of  a  under  FQ 

(7)  co2  is  NPE- inclusive  of  af 

(8)  oo  is  PE-inclusive  of  af  under  F  , 

i  at  ,“>2 

(9)  «2  reach-inclusive  of  a 


Def.  6.3-2 


ind.  hyp. 


(4)+(5)+(6)+Lemma  6.3-1 
(4)+(5)+(6)+Lemma  6.3-2 
(6)+Def .  6.3-6 


(10)  For  each  structure  operation  execution  e  initiated  in  af,  e  is 


initiated  in  oo. 


Def.  4.2-6 


(11)  For  each  such  e,  and  each  Assign,  Update,  or  Delete  execution  A, 


efR(A)  in  af  **  A  is  initiated  before  e  in  af 


(4)+Leoma  5.3-8 


(12)  efR(A)  in  af  and  Ent^^A.l)  and  Ent^Ce, 1)  are  in  the  same  access 


history  in  af  **  e^R(A)  in 
(13)  A  V(Entaf(e,l))  -  V(Entaf (A,l)) 


(4)+(10)+(ll)+Cor.  6.3-1 
Def.  5.1-4 
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(14)  =»  Ent^^e.l)  and  Ent^(A,l)  are  in  the  same  access  history  in  ^ 

(1Q)+(11)+Def .  5.1-4 

(15)  a  A  is  initiated  before  e  in  ^  (12)+Def.  6.3-1 

(16)  efR(A)  in  o)»  and  Ent  (e,l)  and  Ent  (A,l)  are  in  the  same  access 

L  uf2 

history  in  co2  =»  A  is  initiated  before  e  in  (10)+Def.  6.3-1 

(17)  a  A  is  initiated  before  e  in  af  (10)+Def.  4.2-6 

(18)  &>2  preserves  the  order  of  dependent  accesses  of  af 

(10)+(11)+(12)+(15)+(16)+(17)+Def.  6.3-1 

(19)  <*2  is  reach- inclusive  of  af  (4)+(5)+(7)+(8)+(9)+(18)+Lemma  6.3-3 

(20)  as  is  inclusive  of  af  under  F  -  (5)+(7)+(8)+(19)+Def .  6.3-6 

2  af  .cijj 

Thus  it  is  proven  inductively  that 

(21)  us 2  is  inclusive  of  co^  under  F 

(22)  The  set  of  transfers  of  the  entries  in  as^  and  are  identical 

Def.  6.3-2 

(23)  For  any  entry  f  in  co^,  let  g  be  the  entry  in  a>^  such  that  T(g)  *  T(f) 

Then  V(f)  is  not  a  pointer  iff  V(g)  is  not  a  pointer,  and  if  those 
values  are  not  pointers,  they  are  equal  (21)+Defs.  6. 3-6+6. 3-3 

(24)  F  is  one-to-one  (4)+(22)+Def .  6.3-2+Thm.  6.3-1 


(25)  There  is  a  one-to-one  pointer  correspondence  F  such  that  V(f)  is  a 
pointer  iff  V(g)  is  a  pointer,  and  if  they  are  pointers,  then 
F(V(f))  is  defined  and  equal  to  V(g)  (21)+(24)+Defs .  6. 3-6+6. 3-4 


(26)  For  any  Assign,  Update,  or  Delete  execution  A,  e€R(A)  in  => 


Ent(e,l)  is  in  D(A)  in  w. 

(27)  »  Ent(e,l)  is  in  an  access  history  in 

(28)  •  e  is  initiated  in 


Defs. 

Defs. 


Def.  5.1-4 
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(29)  =»  e€R(A)  in  co2 

(30)  e€R(A)  in  =*  ®  Is  initiated  in 

(31)  s  e  is  initiated  in  coj 

(32)  =  efR(A)  in  ^ 

(33)  R(A)  in  co^  equals  R(A)  in 

(34)  o^2  is  equivalent  to 


(26)+(21)+Defs.  6. 3-6+6. 3-5 
(26)-(28) 
(22)+Def.  4.2-6 
(30)+(21)+Defs.  6 . 3-6+6 . 3-5 
(26)+(29)+(30)+(32) 
(22)+(23)+(25)+(33)+Def.  6.1-1 

Q.E.D. 


6.4  The  Determinacy  Proof 

This  concluding  section  applies  the  foregoing  general  equivalence 
result  to  the  immediate  problem  of  proving  that  the  Determinacy  Axioms 
imply  determinacy.  The  Determinacy  Proof  Technique  introduced  in 
Chapter  4  is  used  to  prove,  as  required,  that  any  two  halted  computations 
and  c»2  in  a  J  are  equivalent.  A  sequence  of  computations  is 
constructed  in  which  the  first  iso^,  each  succeeding  computation  is  in  J, 
is  halted,  and  is  equivalent  to  the  preceding,  and  the  last  computation 
is  equivalent  to 

Each  computation  in  this  sequence  is  derived  from  the  preceding  one 
by  permuting  a  single  entry  zero  or  more  positions  to  the  left.  That 
such  a  permutation  results  in  an  equivalent  computation  is  proven  first, 
in  two  lemmas.  The  first  of  these  proves  that  moving  an  entry  one 
position  to  the  left  yields  an  equivalent  computation  which  is  in  the  same 
job.  The  second  lemma  then  Inductively  extends  this  to  a  permutation  of 
any  number  of  positions  to  the  left. 
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Lemma  6.4-1  Let  (lnt,J),  where  Int  =  (St,/, IE),  be  any  expansion  from  an 
S-S  model  which  satisfies  the  Determinacy  Axioms.  For  any  J€J,  for  any 
computation  agf{3  in  J  such  that 

(1)  T(f)fETJ(a) 

afgp  is  in  J  and  is  equivalent  to  agf  [3* 


Proof ; 

(2)  agf  is  in  J  and  so  is  causal  Axioms  6 . 2-1+6 . 2-2+Def .  4.2-7 

(3)  Assume  there  is  a  computation  afg€J  in  which  T(f)  =  T(f)  and 

T(g)  ■  T(g) .  Let  e  be  any  structure  operation  execution  initiated 
in  agf,  and  let  A  be  any  Assign,  Update,  or  Delete  execution.  Then 
e£R(A)  in  agf  and  Ent(A,l)  and  Ent(e,l)  are  in  the  same  access 
history  in  agf  =»  it  is  not  the  case  that  f  and  g  are  the  initiating 
entries  of  e  and  A  (2)+Ax.  6.2-7 

(4)  a  A's  initiating  entry  precedes  e’s  in  agf  (2)+Lemma  5.3-8 

(5)  =>  A's  initiating  entry  is  in  a  (3) 

(6)  =»  A's  initiating  entry  precedes  e’s  in  a?i  (4) 

By  symmetry  (exchanging  g  for  f  and  f  for  g) , 

(7)  e£R(A)  in  a?i  and  Ent(A,l)  and  Ent(e,l)  are  in  the  same  access 

history  in  afg  *»  A’s  initiating  entry  precedes  e’s  in  agf 

(8)  If  there  is  an  afg€J  in  which  T(f)  -  T(f)  and  T(g)  =  T(g) ,  then  it 

preserves  the  order  of  dependent  accesses  of  agf 

(3)+(6)+(7)+Def.  6.3-1 


Now  prove  the  Lemma  by  induction  on  the  length  of  j3. 
Basis:  |P |  -  0. 

(9)  agfp  -  agf  is  in  J 


(10)  3f:T(f)  -  T(f)  and  of€J 

(11)  ag€J 


(1)+Def .  6.2-2 


(12)  T(g)€ETJ(a) 


(9)+Ax.  6.2-2+Def .  A. 2-7 
(U)+Def.  6.2-2 
(13)  T(g)  and  T(f)  have  distinct  destinations,  so  T(g)^T(f) 

(9)+(10)+Def .  A. 2-6 

(1A)  T(g)€ETj(af)  (10)+(13)+(12)+Ax.  6.2-5 

(15)  3g:  T(g)  -  T(g)  and  afg€j  (1A)+Def.  6.2-2 

(16)  afg  is  transfer-congruent  to  agf  (10)+(15)+Def .  6.3-2 

(17)  afg  preserves  the  order  of  dependent  accesses  of  agf  (10)+(15)+(8) 

(18)  afg  Is  equivalent  to  agf  (16)+(17)+Thm.  6.3-2 

(19)  V(f)  Is  not  a  pointer  =»  V(f)  =  V(f)  (10)+(18)+Def .  6.1-1 

(20)  -  f  -  f  (10)+Def .  A. 2-5 

(21)  V(g)  is  not  a  pointer  =»  g  *  g  (15)+(18)+Defs .  6.1-1+A.2-5 

If  V(f)  Is  a  pointer,  there  are  two  cases  to  consider.  Case  I: 

(22)  There  is  an  entry  k€a  with  V(k)  ■  V(f) 

(23)  There  is  an  entry  k  in  afg  with  T(k)  =  T(k),  and  since  k€a, 

V(k)  -  V(k)  (16)+Def.  6.3-2 

(2A)  There  is  a  one-to-one  mapping  F  over  pointers  such  that 

V(k)  -  F(V(k))  and  V(f)  -  F(V(f))  (10)+(23)+(18)+Def .  6.1-1 

(25)  F(V(k))  -  F(V(f))  (2A)+(22) 

(26)  V(f)  -  F(V(f))  -  F(V(k))  -  V(k)  -  V(k)  -  V(f)  (2A)+(25)+(23)+(22) 

(27)  afg  is  in  J  (15)+(26)+(10) 

Case  II: 


(28)  There  is  no  entry  in  a  with  the  same  value  as  f 

(29)  Let  p  -  V(f)  and  p'  ■  V(f).  Define  the  map  Y  by 
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(  q  if  q  *  p 

Y(q)  - 

(  p'  If  q  -  p 

Then  substituting  for  each  entry  k  In  afg  a  similar  entry,  with 
transfer  T(k)  and  value  V(k),  if  that  is  not  a  pointer,  or  Y(V(k)) 
otherwise,  yields  afg  (or  afg  if  V(g)  -  p) .  Therefore,  if  V(g)  *  p 


then  afg  ~  afg,  else  afg  ~  afg 


(28)+Def.  5.1-3 


(30)  If  V(g)  *  p,  then  afg  is  in  J,  else  afg  is  in  J(15)+(29)+Const.  5.1-2 
By  applying  the  same  reasoning  as  (22)-(30), 

(31)  if  V(g)  is  a  pointer  not  equal  to  p',  then  afg  is  in  J 


(32)  afg  is  in  J 

(33)  afg  is  transfer-congruent  to  agf 


(19)+(20)+(21)+(30)+(31) 


(34)  afg  preserves  the  order  of  dependent  accesses  of  agf 


Def.  6.3-2 


(32)+(8) 


(35)  afg  is  equivalent  to  agf 


(33)+(34)+Thm.  6.3-2 


Induction  step:  Assume  that  the  Lemma  is  true  for  any  agf  p  in  which 
|p |  ■  n  >  0,  and  consider 

(36)  agfp  *  agf6h.  In  which  |p|  ■  n+1 

(37)  agf6(J,  agf€J,  and  T(h) €ET  (agf§)  (36)+Ax.  6.2-2+Defs.  4. 2-7+6. 2-2 

J 

(38)  J  is  a  job  for  Int  Def.  4.2-2 

(39)  agffih  and  agf  are  causal  computations  for  Int 


(4Q)  afg6  la  in  J 

(41)  ET^afgS)  -  ETJ(agf6) 

(42)  T(h)  is  in  ETJ(afg6) 

(43)  3hs  T(h)  -  T(h)  and  afg6h(J 


(37)+(38)+Ax.  6 . 2-1+Def .  4.2-3 

(36) +(37)+ind.  hyp. 

(37) +(40)+Ax.  6.2-6 

(37)+(41) 

(42) +Def .  6.2-2 

(43) +Def.  6.3-2 


(44)  afgsH  is  transfer-congruent  to  agffih  (43)+Def.  6. 

(45)  Let  afgfiH  be  any  computation  in  J  in  which  T(h)  -  T(h) .  Let  e  be 
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any  structure  operation  execution  initiated  in  agffih,  and  let  A 
be  any  Assign,  Update,  or  Delete  execution.  There  are  then  two 
cases  to  consider. 

Case  1: 

(46)  e's  initiating  entry  is  in  agf 

(47)  e(R(A)  in  agffih  »  A  is  initiated  before  e,  i.e.,  in  agf 

(39)+(46)+Lemma  5.3-8 

(48)  e£R(A)  in  agf6h  and  Ent(e.l)  and  Ent(A,l)  are  in  the  same  access 

history  in  agffih  =»  efR(A)  in  agf  (39)+(46)+Cor .  6.3-1 

(49)  A  V(Ent(e,l))  -  V(Ent(A,l))  Def.  5.1-4 

(50)  =»  Ent(e,l)  and  Ent(A,l)  are  in  the  same  access  history  in  agf 

(46)+(47)+Def.  5.1-4 

(51)  3  A  is  initiated  before  e  in  afg  (34)+(48)+Def .  6.3-1 

(52)  =»  A  is  initiated  before  e  in  afg6h  Def.  4.2-6 

By  symmetry 

(53)  e€R(A)  in  afg6h  and  Ent(e,l)  and  Ent(A,l)  are  in  the  same  access 

history  in  afg6h  =•  A  is  initiated  before  e  in  agf6h 

(54)  (46)  53  afg6h  preserves  the  order  of  dependent  accesses  of  agfSh 

(48)+(52)+(53)+Def.  6.3-1 

Case  It: 

(55)  e’s  initiating  entry  is  in  6h 

(56)  e€R(A)  in  agf6h  3  A  is  initiated  before  e  in  cgf6h  (39)+Lenmia  5.3-8 

(57)  »  letting  A  -  Ex(d,k),  In(/(d))  input  entries  to  A  precede  e's 

initiating  entry  in  agf6h  Def.  4.2-6 

(58)  *•  In(/(d))  input  entries  to  A  precede  e's  initiating  entry  in  afg6h 

(55) 


-318- 


(59)  =»  A  is  initiated  before  e  in  afgSh  Def.  4.2-6 

By  symnetry 

(60)  e€R(A)  in  afgSh  =»  A  is  initiated  before  e  in  agf6h 

(61)  afgSh  preserves  the  order  of  dependent  accesses  of  agfSh 

(45)+(54)+(55)+(59)+(60)+Def .  6.3-1 

(62)  afgSh  is  equivalent  to  agfSh  (44)+(61)+Ttaji.  6.3-2 

By  reasoning  similar  to  (19) -(32) 

(63)  afgSh  is  in  J 

(64)  afg6h  is  transfer-congruent  to  agfSh  Def.  6.3-2 

(65)  afgSh  preserves  the  order  of  dependent  accesses  of  agfSh  (45)+(61) 

(66)  afgp  is  equivalent  to  agfp  (36)+(64)+(65)+Tlni.  6.3-2 

A 

Lomma  6.4-2  Let  (Int,J)  be  any  expansion  from  an  S-S  model  satisfying  the 
Determlnacy  Axioms.  Then  for  any  computation  apfy  in  any  J€J  in  which 

(1)  T(f)fETJ(a) 

afpy  is  in  J,  and  is  equivalent  to  apfy,  and  ETj(af Py)  »  ETj(apfy)  . 

Proof:  By  induction  on  |pj. 

Basis:  |p|  ■  0.  Then  afpy  -  apfy,  so  the  Lemma  is  trivially  true. 
Induction  step:  Assume  the  Lemma  is  true  for  an  apfyfJ  in  which 
)p)  -  n  >  0,  and  consider  any 

(2)  apfy  •  agSfy  in  J  in  which  jpj  ■  n+1 

(3)  T(f)  *  T(g)  Def.  4.2-6 

(4)  og€J 

(5)  KOfBTjtog) 


Ax.  6.2-2+Def.  4.2-7 
(l)+(3)+(4)4Ax.  6.2-5 
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(6)  agf&y  Is  in  J  and  Is  equivalent  to  agfify,  and 


ETjCagfSy)  ■  ETjCagSfy) 

(7)  afg6y  Is  in  J  and  is  equivalent  to  agfSy 

(8)  afg6y  is  equivalent  to  agfify 

(9)  ET^afgSy)  -  ETjtagffiy) 

(10)  ETjCafgfiy)  -  ETJ(ag5fy) 


(5) +(2)+ind.  hyp. 
(l)+(6)+Lemaa  6.4-1 

(6)+(7)-H>ef.  6.1-1 

(6) +(7)+Ax.  6.2-6 

(6)+(9) 

A 


Now  finally  the  Determinacy  Proof  Technique  is  easily  utilized  to 
produce  the  following  quite  general  result: 


Theorem  6.4-1  Every  expansion  (Int.J)  from  an  S-S  model  which  satisfies 
the  Determinacy  Axioms  is  determinate. 

Proof :  It  is  required  to  prove  for  any  J (J  that,  by  virtue  of 
satisfying  the  Determinacy  Axioms,  any  two  halted  computations  co  and  co' 
in  J  are  equivalent.  Assume  without  loss  of  generality  that 

(1)  |co|  <  |co*  I  *  n 

Inductively  construct  from  co  a  sequence  of  computations  . . .  ,wn, 

in  which  each  co^  can  be  written  as 

(2)  ©k  "  akPk*  where 

letting  be  the  length-k  prefix  of  co',  for  1*1,..., k,  the  ith 
entry  in  has  the  same  transfer  as  the  ittl  entry  in  a^,  and 
Pk  ■  co— a^;  i.e.,  pk  is  derived  from  co  by  striking  out  every 
entry  which  has  the  same  transfer  as  an  entry  in 
Prove,  by  Induction  on  k,  the  following  hypotheses: 


! 

r 


t 
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A:  is  in  J 

B:  is  halted  in  J 

C:  is  equivalent  to  co 

D:  5^  is  equivalent  to 

Basis:  k  »  0.  Then  afc  -  X,  so  -  X.  Then  -  co-X  -  to.  So 

“  ■  OjPq  “  «q,  and  A,  B,  C,  and  D  are  trivially  true. 

Induction  step:  For  any  k,  0  S  k  <  n,  assume  that  there  is  an  -  a^Pk 

such  that  A,  B,  C,  and  D  are  true  of  and  construct  to^^- 

(3)  Let  f  be  the  k+lSt  entry  in  w' ,  lie.,  a^+1  -  a^f  is  a  prefix  of  to', 

hence  is  in  J  (2)+Ax.  6.2-2+Def.  4.2-7 

(4)  T(f)  (3)+Def.  6.2-2 

(5)  a.  is  equivalent  to  cl  ind.  hyp.  D 


(4)  TCfXETj^)  (3)+Def.  6.2-2 

(5)  is  equivalent  to  ind.  hyp.  D 

(6)  The  i  entry  in  has  the  same  transfer  as  the  i  “  entry  in  (2) 

(7)  If  the  value  of  the  ifc  entry  in  is  non-pointer  v,  then  the  value 


of  the  i  entry  in  is  non-pointer  v 


(5)+(6)+Def.  6.1-1 


(8)  There  is  a  one-to-one  pointer  correspondence  F  such  that  if  the 

value  of  the  i1*1  entry  in  is  pointer  p,  then  the  value  of  the 
i**1  entry  in  is  F(p)  (5)+(6)+Def .  6.1-1 

(9)  Define  Y:  V  -*•  V  to  be 

P  P 


if  V(f )  is  not  a  pointer  or  F(V(f))  is  defined,  then  Y  ■  F, 


else  for  all  qfV  , 
P 


*<q)  •<  P 


if  that  is  defined 


where  p  is  not  in  the  range  of  F,  if  q-V(f) 


undefined  otherwise 


Then  Y  is  a  one-to-one  map  over  pointers 
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(10) 


(11) 

(12) 

(13) 

(14) 

(15) 

(16) 

(17) 

(18) 

(19) 

(20) 
(21) 
(22) 

(23) 

(24) 

(25) 

(26) 


Let  ?  be  an  entry  with  T(f)  »  T(f)  and  V(f)  equals,  if  V(f)  is  not 
a  pointer,  then  V(f),  else  Y(V(f)).  Then  a^f  can  be  derived  from 
a^f  by  replacing  each  entry  gfa^f  with  a  similar  entry  whose 
transfer  is  T(g)  and  whose  value  is,  if  V(g)  is  non-pointer,  then 
V(g),  else  Y(V(g))  (6)+(7)+(8)+(9) 

(10)+(9)+Def .  5.1-3 

(3)+(ll)+Const.  5.1-2 
(10)+(12)+Def.  6.2-2 
(2)-ttnd.  hyp.  A 


V  “  V 


V 


is  in  J 


T(f)  *  T(f)  is  in  ET^cy 


"k  •  “A  l* ln  J 

is  in  J 


(14)+Ax.  6.2-2-H)ef.  4.2-7 


Pf6pk:  T(f)  -  T(f)  ]  or  [T(f)€ETJ(akPky  (15)+(13)+(14)+Lenma  6.2-1 


T(f)€ETj(5kPk)  -  3h:  \Pfch€J 


Def.  6.2-2 


*  is  a  proper  prefix  of  a  computation  in  J,  and  so  is 

not  halted  in  J 


T(f)mJ(Skpk) 

3f€pk:  T(f)  -  T(f) 


«k  may  be  written  as  &>k  ■ 


Def.  4.2-7 
(17)+(18)+ind.  hyp.  B 
(16)+(19) 
(l4)+(20) 
(13)+(20) 

akfy6  is  in  J  and  is  equivalent  to  akrf6,  and  ETj(akfy6)  - 

(21)+(14)+(22)+Lemma  6.4-2 
(2)+(3)+(20) 


T(f)€ETJ(ak) 


ETj(Vf5) 

l«  \+l  ■  V 


y6  -  Pk-I  -  ®-5k-I  -  co-ak!  -  0)-ak+1  (21)+(14)+(2)+(24) 

Letting  Pk+1  -  r6,  there  is  an  &>k+1  -  -  ak?y6  in  J,  which 

is  equivalent  to  akYf6  *  cok,  and  ET^ (°°k+^ )  ■  ET^o^) 

(25)+(2)+(24)+(23) 
(26) 


(27)  A  for 
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(26)+lnd.  hyp.  C 
Def.  4.2-7 
Def.  6.2-2 
(26) 
Def.  6.2-2 
Def.  4.2-7 
<29)+(33)+ind.  hyp.  B 
(2)+Def .  6.3-2 


(28)  C  for 

(29)  a^+1  is  not  halted  -  3g:  c<^+1g€J 

(30)  -  T(g)  CETj^i) 

(31)  «  T(g) 

(32'  =*  c^ifJ 

(33)  *»  Is  not  halted  In  J 

(34)  B  for  r^+1 

(35)  Is  transfer-congruent  to 

(36)  For  any  structure  operation  execution  e  initiated  in  ^  and  any 

Assign,  Update,  or  Delete  execution  A,  e€R(A)  in  »  A  is 

initiated  before  e  in  (3)+Ax.  6 . 2-1+Lenma  5.3-8 

(37)  o  A  is  initiated  before  e  in  <L^  (2)+Def .  4.2-6 

(38)  e€R(A)  in  =»  A  is  initiated  before  e  in 

(24)+(23)+(2)+Axioms  6 . 2-2+6 . 2-1+Lemma  5.3-8+Def.  4.2-6 

(39)  preserves  the  order  of  dependent  accesses  of 

(36)+(37)+(38)+Def .  6.3-1 

(40)  is  equivalent  to  Oj^;  i.e.,  D  for  (35)+(39)+Thm.  6.3-2 

Thus  it  is  proven  by  Induction  that  u  is  equivalent  to  o>  and  a  is 

n  n 

equivalent  to  aQ. 


(41)  a  ■  (o'  end  B  ■  co-o  ■  X 

u  u  Q 


(42)  to  -  a  B  -  a 

n  n  n  n 

(43)  a  is  equivalent  to  co' 

n 


(2)+(l) 
(2)+(41) 
D+(41)+(42) 

(44)  co  is  equivalent  to  co*  (43)+C 

Since  this  is  true  for  any  two  computations  in  any  one  job  in  J, 

(45)  (Int  ,*/)  is  determinate 


Def.  6.1-1 


Chapter  7 

Proof  of  the  Functionality  of 

The  purpose  of  this  chapter  is  to  demonstrate  that  any  program 
running  on  the  modified  interpreter  M  is  functional.  In  accordance  with 
the  plan  presented  at  the  beginning  of  Chapter  4,  it  will  first  be  proven 
that  every  expansion  in  the  corresponding  entry-execution  model  EGCL^.M) 
is  determinate.  Then  it  will  be  shown  that  the  expansion  of  a  program  P 
is  determinate  only  if  P  is  functional. 

Chapter  6  has  just  concluded  with  a  general  result  for  any  Structure- 
as-Storage  (S-S)  model:  An  expansion  is  determinate  if  it  satisfies  the 
Determinacy  Axioms.  Section  7.1  below  verifies  that  EEd^.M)  is  an  S-S 
model.  Section  7.2  then  proves  that  every  expansion  in  that  model  satis¬ 
fies  the  Axioms,  and  so  is  determinate.  Finally,  Section  7.3  demonstrates 
that  the  construction  of  EE(Lp,M)  produces  determinate  expansions  only 
from  functional  programs. 
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7.1  Verification  that  EEd^.M)  is  an  S-S  Model 

An  S-S  model  is  defined  fundamentally  by  a  set  of  constraints  on  the 
computations  in  every  job  from  an  entry-execution  model.  These  con¬ 
straints  were  synthesized  from  the  schema  model  of  Lgg  on  the  standard 
interpreter,  so  that  EE(Lgg,S)  would  satisfy  them.  Chapter  5  validates 

this  construction  by  proving  analytically  that  EE(L  ,S)  is  indeed  an  S-S 

oS 

is  a  subset  of  Lgg,  and  the  modifications  to  the  standard 
interpreter  did  not  change  the  actions  performed  by  the  structure  oper¬ 
ations.  Therefore,  it  is  to  be  expected  not  only  that  EECL^.M)  is  also 
an  S-S  model,  but  that  the  proof  of  this  is  very  similar  to  that  for 
EE(LBS.S).  A  brief  review  of  the  principle  of  the  earlier  proof  will 
serve  to  motivate  the  steps  taken  in  this  section. 

The  first  constraint  is  easily  proven,  and  the  second  is  a  special 
case  (handled  here  is  Section  7.1.2).  The  remaining  five  constraints  are 
verified  by  a  three-step  deduction:  First,  the  constraints  are  satisfied 
by  every  canonical  computation,  or  pair  of  canonical  computations,  as 

two  computations 

and  in  a  job  of  Interest,  there  is  a  pair  of  these  canonical  computa¬ 
tions  and  such  that: 

A:  For  i*l,2,  for  any  execution  e^  Initiated  in  and  any  other 
execution  eg,  e^  is  in  reach  R(eg)  in  iff  e^  is  in  R(eg)  in 
B:  For  any  two  pointers  Pj^  and  p2>  (Pj^a^pCpj.ag)  •  (F1t“1)P(P2»“2^  * 
Finally,  A  and  B  imply  that  the  five  constraints,  known  to  be  satisfied 
by  and  co  ,  must  hold  for  a  and  a  . 


appropriate,  in  every  job  from  EEd^g.S).  For  any 
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The  validation  of  EE(L^,M)  as  an  S-S  model  is  a  similar  deductipn. 

The  first  and  third  steps  are  identical  to  those  just  listed,  and  so  the 
proofs  in  Chapter  5  apply  directly.  The  second  step  here  requires  an 
extension  of  the  technique  used  earlier.  A  and  B  hold  between  any  two 
pairs  of  computations  a^,  and  co^,  oo^  if  either,  for  i-1,2,  is  a 
prefix  of  co^,  or  for  1*1,2,  oo^  is  SOE-inclusive  of  (Le tunas  5.2-6  and 

5.3-10).  Accordingly,  the  following  chain  of  computations  is  exhibited: 
a  -  any  computation  in  any  job  from  EE(L^,M) 

p  -  a  computation  in  J  ,  where  S  is  an  initial  modified  state  and  2 
is  a  halted  firing  sequence  starting  in  S,  which  has  a  as  a  prefix 
co  *  tj(S,2)  -  a  computation  which  is  SOE-inclusive  of  p  (Lemma  5.2-7) 
a*  *  r)(S',2')»  where  S'  is  the  initial  standard  state  corresponding 
to  S  and  2'  is  a  halted  firing  sequence  starting  in  S'  and  having 
2  as  a  prefix  -  a  canonical  computation  from  EE(LgS,S)  which  is 
SOE-inclusive  of  go  (to  be  proven) 

For  any  pair  and  ,  the  corresponding  co|  and  satisfy  the  final 
five  constraints  (Lemmas  5.3-3,  5.3-5,  and  5.3-6).  The  general  results 
mentioned  are  applied  to  each  successive  pair  of  computations  in  the  chain 
to  show  that  A  and  B  are  true  of  and  co^.  Then  by  Lemma  5.3-11,  and 
a ^  satisfy  the  five  constraints. 

The  key  task  remaining  here  is  to  prove  that  co'  is  SOE-inclusive  of 
go.  For  any  execution  e  *  Ex(d,k)  which  has  input  entries  in  oo,  there  is 
a  prefix  (fcp  of  2  in  which  <p  is  the  k**1  firing  of  d,  and  each  such  input 
entry  describes  the  removal  by  <p  of  a  token  in  S’ 9.  Since  0cp  is  also  a 


-326- 


prefix  of  2’,  e  will  have  input  entries  in  co'  describing  the  removal  of 
tokens  in  S' ' 6.  Similarly,  e's  output  entries  in  go  (go')  describe  the 
removal  of  tokens  on  d’s  output  arcs  in  5*©<p  (S'  ■  8<p)  •  Therefore,  the 
relation  between  e's  input  (or  output)  entries  in  co  and  go'  depends  on 
the  relation  between  S*0  and  S' *9  (or  S*9<p  and  S''Qq>),  which  is  eluci¬ 
dated  in  Section  7.1.1  below.  Section  7.1.2  then  presents  the  result 
that,  as  on  the  standard  interpreter,  any  two  equal  firing  sequences 
starting  in  equal  modified  states  yield  equal  final  states.  This  is  of 
immediate  Importance  in  the  special  case  of  proving  that  every  job 
satisfies  the  second  (Pointer  Transparency)  constraint.  It  is  also  used 
extensively  in  showing  that  every  expansion  satisfies  the  Determinacy 
Axioms.  Section  7.1.3  then  proves  that  co'  is  SOE- inclusive  of  co;  the 
proof  that  EE(LBJ,,S)  is  an  S-S  model  is  then  easily  extended  to  verify 
that  EE(Lb>M)  is  an  S-S  model. 

7.1.1  A  Comparison  of  Standard  and  Modified  States 

The  purpose  here  is  compare  the  states  of  the  standard  and  modified 
Interpreters  when  started  in  corresponding  initial  states  and  subjected 
to  the  same  sequence  of  firings.  The  form  of  a  modified  interpreter 
state,  as  detailed  in  Section  3.3,  differs  from  that  of  a  standard  state 
in  two  regards:  the  replacement  of  simple  pointers  as  values  of  tokens  by 
read  and  write  pointers,  and  the  presence  of  a  pool  component  Q. 
Paralleling  these  are  the  following  differences  in  content  between  an 
initial  modified  state  5  and  its  corresponding  Initial  standard  state  S' : 
every  token  with  pointer  value  p  in  S'  is  replaced  with  one  with  value 
(p,R),  and  the  pool  component  in  S  is  empty. 
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Any  firing  sequence  £  starting  in  S  is  an  abbreviation  for  a  sequence 
of  states  beginning  with  S.  Each  state  in  this  latter  sequence  is 
obtained  from  the  immediately-preceding  one  by  an  application  of  the 
state-transition  rule.  Assuming  that  2  is  also  a  firing  sequence  starting 
in  s’  ,  the  differences  in  content  between  the  resulting  final  states  S'Q 
and  s' '2  are  determined  by  differences  in  the  state-transition  rules  of 
the  two  interpreters.  The  standard  rule  was  modified  just  in  that  the 
data  tokens  output  by  a  firing  of  a  Select  actor  may  be  withheld. 
Specifically,  if  a  firing  of  a  Select  actor  labelled  S  would  output  a 
pointer  p  on  the  standard  interpreter,  and  there  are  tokens  of  value  (p,W) 
in  the  current  configuration,  then  no  data  output  tokens  appear,  and  S  is 
placed  in  the  pool  Q(p) .  S  remains  in  Q(p) ,  and  the  data-output  arcs 
remain  empty,  until  all  tokens  of  value  (p,W)  have  disappeared.  Then  S 
is  removed  from  Q(p)  and  tokens  of  value  (p,R)  are  placed  on  the  data- 
output  arcs  of  the  actor  labelled  S. 

From  this,  it  is  expected  that  these  differences  in  content  between 
S’Q  and  S'" 2  would  be  observed: 

(1)  Every  arc  which  holds  a  token  of  value  (p,R)  or  (p,W)  in  S' 2  holds 
a  token  of  value  p  in  5’ *2. 

(2)  For  every  label  S  in  any  pool  Q(p)  for  a  pointer  p  in  S' 2,  the 
data-output  arcs  of  the  actor  labelled  S  are  empty. 

Point  (2)  Implies  that  the  data-output  arcs  of  the  actor  labelled  S 
necessarily  hold  tokens  of  value  p  in  S' -2,  by  the  following  reasoning: 

2  can  be  written  as  6<pA,  where  <p  is  the  last  firing  of  S  in  2.  Since  S 
is  in  Q(p) ,  that  firing  would  have  output  tokens  of  value  p  on  the 
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standard  interpreter;  hence,  there  are  such  tokens  in  the  standard  state 
S'"Q<p.  For  any  prefix  X  of  A,  the  data-output  arcs  of  S  in  S‘Q<pX  remain 
empty,  so  there  can  be  no  firing  in  A  which  removes  a  token  from  one  of 
those  arcs  on  the  modified  interpreter.  Therefore,  there  is  no  firing  of 
an  actor  in  A  which  removes  a  token  from  one  of  those  arcs  on  the  standard 
interpreter,  so  there  are  still  tokens  of  value  p  on  the  data-output  arcs 
of  S  in  S' *&.  Any  standard  and  modified  states  of  the  same  program  which 
are  so  related  are  congruent ,  as  defined  in  the  following: 

Definition  7.1-1  (Congruent  states)  Given  any  Lgg  program  P,  let 
S  “  (r,U,Q)  be  any  modified  state  for  P  and  let  s'  =  (F'.U*)  be  any 
standard  state  for  P.  For  any  arc  b  in  P,  the  conditions  of  b  in  S_  and  S' 
match  to  within  withheld  outputs  iff: 

a.  if  b  is  a  data-output  arc  of  a  Select  operator  labelled  S  and  there 
is  a  pointer  p  such  that  S  is  in  Q(p) ,  then  b  holds  a  token  of  value 
p  in  r'  and  is  empty  in  F; 

b .  otherwise ,  either 

i.  b  is  empty  in  both  T  and  r'»  or 

ii.  b  holds  tokens  of  non-pointer  value  v  in  both  r  and  r'»  or 

iii.  b  holds  a  token  of  pointer  value  p  in  r*  and  a  token  of  value 
(p,R)  or  (p,W)  in  r. 

S  and  S'  are  congruent,  written  iff 

1.  U  and  U?  are  identical,  and 

2.  for  each  arc  b  in  P,  the  conditions  of  b  in  S  and  S'  match  to 
within  withheld  outputs. 

A 
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Now  it  can  be  shown  that  a  given  firing  sequence  takes  any  initial 
modified  state  and  its  corresponding  initial  standard  state  into 
congruent  final  states: 

Theorem  7 .1-1  Let  S  be  any  initial  modified  state  for  any  L__  program  P 
and  let  s'  be  the  corresponding  initial  standard  state.  Let  Q  be  any 
firing  sequence  starting  in  £  on  the  modified  interpreter.  Then 
A:  a  is  also  a  firing  sequence  starting  in  S'  on  the  standard 
interpreter,  and 
B:  S'‘S{iS’i 2. 

Proof :  (The  proof  of  this  is  simply  an  exhaustive  demonstration  that, 
except  for  the  differences  noted,  every  firing  of  an  actor  has  the  same 
effects  —  on  the  heap,  its  input  arcs,  its  output  arcs,  and  all  other 
arcs  —  on  the  two  Interpreters;  thus,  it  is  relegated  to  Appendix  E.) 

A 

Corollary  7.1-1  Let  S  be  any  initial  modified  state  for  any  Lg,.  program 
P,  and  let  0  be  any  firing  sequence  starting  in  S.  Then  for  any  label  d 
of  a  Select  operator  in  P,  if  d  is  in  a  pool  in  S*0,  then  all  of  the  data- 
output  arcs  of  that  operator  are  empty  in  S' 9. 

Proof:  Let  S'  be  the  initial  standard  state  corresponding  to  S.  Then 
S’-epS-e  [Thm.  7.1-1J.  The  Corollary  follows  from  this  and  Def.  7.1-1. 

A 

7.1.2  Pointer  Transparency 

The  Pointer  Transparency  Constraint  is  the  only  non-trivial 
constraint  which  does  not  lend  itself  to  a  proof  in  the  form  discussed  at 

V 

the  start  of  Section  7.1.  In  common  with  the  others,  however,  the  proof 


-330- 


that  every  job  satisfies  this  constraint  parallels  the  corresponding 
portion  of  the  validation  of  EE(Lgg.S).  The  heart  of  the  latter  is 
Theorem  5.3-1:  for  any  two  equal  standard  states  and  Sg »  and  any  two 
equal  firing  sequences  2^  starting  in  and  starting  in 
equals  S^*2^.  Developing  an  analogous  result  for  the  modified  interpreter 
requires  first  a  definition  of  equal  modified  states. 

Two  standard  states  5^  and  5^  for  program  P  are  equal  iff  there  is  a 
one-to-one  mapping  I  such  that,  for  every  arc  b  in  P, 

Match((b,Sp,  I,  (bjSj))*  The  first  of  the  two  ways  in  which  the  form 
of  a  modified  state  differs  from  that  of  a  standard  state  is  the  presence 
of  read  and  write  pointers,  which  are  distinct;  i.e.,  (p,R)  t  (p',W),  even 
if  p  -  p'.  An  appropriate  definition  for  matching  conditions  of  an  arc 
in  two  modified  states  has  already  been  presented  as  Definition  3.4-1. 

The  second  difference  in  form  is  the  pool  component  in  a  modified  state. 
Intuitively,  the  pool  components  and  of  two  states  and  s ^  ar® 

equal  only  if,  for  every  Select  label  S,  3p^:  S^Q^Cp^)  ••  3p£t  SCt^CPj)* 
Furthermore,  if  S  is  in  a  pool  in  both  and  Qj .  then  the  pointers  p^ 
and  p^  must  be  related:  Eventually,  S  will  be  removed  from  those  pools, 
and  tokens  of  value  (p^,R)  and  (p2»R)  will  be  placed  on  its  data-output 
arcs;  in  order  that  the  conditions  of  those  arcs  match  at  that  time,  p^ 
and  p2  should  point  to  equal  components  of  the  heaps  in  and  Sj*  This 
is  made  precise  in  the  following  complete  specification  of  two  equal 
modified  states: 

Definition  7.1-2  Two  modified  interpreter  states  S ^  -  (r^U^Qj)  and 
S ^  “  ^2,U2’^2^  for  the  saae  Pr°gram  P  are  equal  iff  there  is  a  single 
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one-to-one  mapping  I  such  that: 

1.  For  every  arc  b  in  P,  Match((b,S^) ,  I,  (b,S^)). 

2.  For  every  label  S  of  a  Select  operator  in  P,  letting  m  (N^,n^,SM^) 

and  U2  -  (N2,n2,SH2), 

3pt!  «  3p2:  s«q2(p2)  -u2.n2(p2)  -  o,.n,(p1). 

A 

The  proof  that  equal  firing  sequences  2^  and  2^  starting  in  equal 
initial  modified  states  5^  and  S 2  yield  equal  final  states  proceeds 
indirectly  through  standard  states.  That  is,  the  initial  standard  states 
and  S'^  corresponding  to  S ^  and  5 2  are  equal  to  each  other,  so 
equals  S ’*22,  Since  an<*  ^2‘^2M^2  S22’  is  easily  shown  that 

the  condition  of  any  arc  b  which  holds  a  token  in  s2'®2  Batches  lta 
condition  in  If  b  holds  a  token  of  non-pointer  value  v  in  S2*22, 

then  it  does  so  in  ^by  congruence),  in  (by  equality  of  stan¬ 

dard  states),  and  in  S^‘2^  (by  congruence  again).  If  b  holds  a  token  of 
value  (p2,R)  or  (p2,W)  in  *^2 *S22 »  then  it  holds  a  token  of  value  p2  in 
52*S22,  one  of  value  p^,  which  points  to  an  equal  component,  in  5^*2^,  and 
one  of  value  (p^,R)  or  (p^,W)  in  S^’2^-  All  that  remains  to  show  a  match 
is  to  prove  that  b  holds  either  a  write  pointer  in  both  states  or  a  read 
pointer  in  both  states. 

Proof  that  the  pool  components  are  equal  is  by  an  induction  based  on 
the  following:  For  each  prefix  @^1  of  % »  the  last  firing  cp^  causes  a 
Select  label  S  to  be  placed  into  a  poo).  Q^(p^)  iff,  for  the  same-length 
prefix  824>2  of  &2>  <p2  causes  S  to  be  placed  in  a  pool  Q2(p2).  Pointers 
p^  and  p2  are  those  which  would  be  placed  on  the  output  arcs  of  the  actor 
labelled  S  by  <p^  and  <p2  on  the  standard  Interpreter;  since  52*62<p2  equals 


Si’ei<pl’  P1  and  p2  point  to  etlual  components.  Finally,  every  arc  holds  a 
pointer  (p^,W)  after  a  prefix  of  2^  iff  it  holds  a  pointer  (p2»W)  after 
the  same-length  prefix  of  30  s  ls  removed  from  the  pools  after  the 
same- length  prefix  of  each  firing  sequence. 

Theorem  7.1-2  For  any  two  equal  modified  states  5^  and  S 2  *OT  th®  same 
Lgg  program  P,  and  for  any  two  equal  firing  sequences  2^  starting  in 
and  2^  starting  in  S ^  S 2*^2  5^*2^.  Furthermore,  if  1  is  the 

mapping  under  which  the  conditions  of  each  arc  b  in  P  match  in  52  and  5^, 
then  the  mapping  under  which  the  conditions  of  b  match  in  s2*^2  and 
is  IUKn^.nj) |  3k:for  1*1,2,  n^  is  the  node  in  the  k**1  Copy  firing  in  2^}. 
Finally,  the  initial  standard  states  corresponding  to  5^  and  5^  are  equal. 

Proof; 

(1)  For  any  modified  configuration  T,  let  DT(D  denote  the  configuration 

obtained  by  replacing  each  token  in  T  of  value  (p,R)  or  (p,W), 
where  p  is  a  pointer,  with  a  token  of  value  p.  Let  5^  ■  (rx,Ux,Qx) 
and  Sy  «  (Ty,Uy,Qy)  be  any  two  modified  states  for  P  which  are 
equal  under  a  mapping  K.  Then  (DT(F  ) ,U  )  and  (DT(T  ),U  )  are 

xx  y  y 

standard  states  Defs.  3 . 3-4+3 . 3-3+2 . 1-3 

(2)  For  each  arc  b  in  P,  Match((b,5  ),  K,  (b,5  ))  (1)+Def.  7.1-2 

*  y 

(3)  Letting  U  ■  (N  ,17  ,SM  )  and  U  ■  (N  ,17  ,SM  ),  either  b  has  no  token 

x  xxx  y  yyy 

in  rx  and  or  b  has  tokens  of  non-pointer  value  v  in  both  Tx 
and  r  ,  or  there  are  pointers  p^  and  p^  such  that  b  has  tokens  of 
values  (p^,R)  and  (p2>R)»  or  (pltW)  and  (p2»W),  in  Tx  and  r  ,  and 
°y*ny(p2)  "  ux*nx(pl)  (2)+Defs.  3. 3-3+3. 4-1 
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(4)  Either  b  has  no  token  in  either  DT(r )  or  DT(r  )>  or  b  has  tokens 

x  y 

of  non-pointer  value  v  in  DT(r  )  and  DT(T  ),  or  there  are  pointers 

x  y 

p^  and  p£  such  that  b  has  tokens  of  value  p^  and  p2  in  DT(rx>  and 
DT(ry)  and  -  Uy.riy(p2)  (l)+(3) 

(5)  For  each  arc  b,  Match((b,(DT(r  ) ,U  )) ,  K,  (b,(DT(r)  ,U  ))) 

xx  y  y 

(l)+(4)+Def.  2.4-2 

(6)  (DT(r  ),U  )  equals  (DT(T  ) ,U  )  under  K  (5)+Def.  2.4-3 

xx  y  y 

(7)  For  1*1,2,  let  S±  -  (T±fVi9Q±)9  where  Ut  -  (N^n^SM^.  Then  the 

initial  standard  state  corresponding  to  S is  (DT(r^),U^)t  so 
the  initial  standard  states  corresponding  to  and  are  equal 
under  1  (l)+(6)+Def.  3.3-5 

Prove  the  rest  of  the  Theorem  by  induction  on  the  length  of  2^. 

Basis:  l&jJ  •  0. 

(8)  |a2|  -  0  Def.  2.4-5 

(9)  52*a2  "  S2  and  S’1*ai  -  S±  (8)+Def.  2.3-1 

(10)  lU{(nj,n2)|  3k:for  1*1,2,  is  the  node  In  the  kth  Copy  firing 

in  2±}  »  I  (8) 

The  Theorem  follows  from  (9)  and  (10)  plus  the  hypothesis. 

Induction  step:  Assume  that  the  Theorem  is  true  for  any  and  a2  of 
length  n  >  0,  and  consider  equal  firing  sequences  and 

length  nfl,  in  which  <p ^  is  a  firing  of  actor  d. 

(11)  is  also  a  firing  of  d,  and  2^  an^  S,  are  equal  firing  sequences 

of  length  n  Def.  2.4-5 

(12)  2^  is  a  firing  sequence  starting  in  (ll)+Def.  2.3-1 

(13)  Use  the  following  notation,  for  i-1,2: 
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Pire(5i*2i,d)  -  (r'.U^.Q'),  where  Uj  -  (N|,n|,SM[) 

51*81<p1  -  <r£,0£,Q"),  where  U"  -  (K»,n^,SH") 

Denote  by  1^  the  configuration  Standard^  (Stripd^.d)  ,Uj)  ,d) 

Denote  by  I*  the  nap  IU^.n^  |  3c:  for  i-1,2,  n±  ia  the  node  in 
the  kth  Copy  firing  in  21>  end  by  I*  the  nap  IU{(nltn2)|  3c: 
for  i-1,2,  n^  ia  the  node  in  the  k**1  Copy  firing  in  2^<p^} 

(14)  ^2*22  e<*ua*8  ^1*^1  under  1+  (12)+(13)+ind.  hyp. 

(15)  Por  i-1,2,  let  S~  -  (DT(ri),U1).  Then  5~  ia  a  standard  state,  and 

S~  equals  S  under  I+  (14)+(l)+(6) 

2  1 

(16)  d  la  enabled  inS2'Q2  and  inS^Sj  (ll)+Def.  2.3-1 

(17)  The  distribution  of  tokens  on  d's  input  and  output  arcs  in  1*^, 

hence  in  DT(T^) ,  confoms  to  the  enabling  conditions  for  d 

(16)+(l)+0ef.  3.3-6 

(18)  d  ia  enabled  in52  and  in  S ^  (17)+Def.  2.1-4 

(19)  q>2  and  ^  are  two  equal,  length-1  firing  sequences  starting  in$2 

and  5^  (ll)+(18)+Defa.  2. 4-5+2. 3-1 

(20)  S".<p2  equals  under  I+U{(n1Pn2)|  3k:  for  i-1,2,  is  the  node 

in  the  k**1  Copy  firing  in  }  •  I  (15)+(19)+(13)+Thm.  5.3-1 

(21)  Por  any  configuration  T,  heap  U,  and  actor  d,  the  values  of  the 

tokens  on  d's  output  arcs  in  Standard^ (r,U) ,d)  depend  only  on 
the  values  of  the  tokens  on  d's  input  arcs  in  T  and  on  0,  and,  if 
d  is  a  Copy,  on  the  arbitrary  pointer-node  pair  added  to  II 

Defs.  2. 1-5+2. 2-5 

(22)  -  (Standardr((DT(ri),Ui),d),Standardu((DT(ri),U1),d)) 

(19)+(11)+(15)+Def a .  2. 3-1+3. 3-7 


(23)  U’  -  Standard0((Strip(r1,d),Ui),d) 


(13)+Oef .  3.3-9 
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(24)  d  is  a  Select  =»  its  input  arcs  hold  tokens  of  the  same  value  in 

DTd’j)  and  StrlpCl^.d)  (104Def.  3.3-8 

(25)  a  Standardu((DT(ri),U1),d)  -  U±  Def.  2.2-5 

(26)  -  Uj  -  U£  (23)+Def .  2.2-5 

(27)  d  is  a  Select  A  there  is  a  pointer  on  a  data-output  arc  of  d  in 

either  or  =»  there  is  a  pointer  on  a  data-output  arc  of  d  in 
either  Standard^ (DT(rj)  ,1^)  ,d)  or  Standardr((DT(r2)  ,U2)  ,d) 

(13)+(21)+(24) 

(28)  =»  there  are  two  pointers  and  p2  such  that  there  are  tokens  of 

value  p^  on  d's  data-output  arcs  in  Standard^((DT(Ti) .U^) ,d)  and 
U2.n2(p2)  -  Uj.TI^pj)  (22)+(25)+(20)+Defs.  2. 4-3+2. 4-2 

g 

(29)  ■*  there  are  tokens  of  value  p^  on  d's  data-output  arcs  in  and 

U^.n^(p2)  -  0|.n^(p1)  (13)+(21)+(24)+(26)+Def.  2.4-1 

(30)  For  any  actor  c,  Bp^  c€Q^(pj)  iff  3p2:  c€Q2(p2)  and  if  so, 

n2(p2)  -  I+(ni(p1))  (14)+Defs.  7. 1-2+2. 4-1 

(31)  For  any  actor  c,  3p^:  c€Q^(p^)  iff  3p^:  c€Q1(p1)  or  c  -  d  is  a 

g 

Select  A  3p^:  p^  is  on  the  data-output  arcs  of  d  in  Def.  3.3-9 

(32)  iff  3p2:  c€Q2(p2)  (30) 

8 

(33)  or  c  ■  d  is  a  Select  A  3p2:  p2  is  on  the  data-output  arcs  of  d  in  r2 

(27)+(29) 

(34)  iff  3p2:  c€Q^(p2)  Def.  3.3-9 

(35)  There  are  pointers  p^  and  p2  such  that  cCQ^Cpj)  =>  c€Q^(pi)  or 

c  ■  d  is  a  Select  and  there  are  tokens  of  value  p^  on  data-output 
arcs  of  d  in  T*  Def.  3.3-9 

(36)  •  since  1^  is  a  subset  of  nj,  n2(p2)  -  I+(nj(Pj)) 


(30)+(23)+Def .  2.2-5 
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(27)+(29) 
Def.  2.4-1 


* 

(37)  V  u* .n^(p2)  -  u[.n’(Pl) 

(38)  -  n’(p2)  -  i+(n|(Pl))  or  n*(p2)  -  i*(n[(Pl)) 

(39)  »  since  I+  is  a  subset  of  I*,  n£(p2)  -  I*(TIJ(p1))  (J3) 

(40)  Let  S ^  and  S*  be  the  initial  standard  states  corresponding  to 

and  S 2»  Then,  for  1*1,2,  is  a  firing  sequence  starting  in  £*, 

* 

and  s1*21<P1M^i'2i<Pi  Thm.  7.1-1 

*  *  * 

(41)  52-S22<p2  equals  under  I  ,  which  is  one-to-one 

(7)+(40)+(13)+Thm.  5.3-1 

(42)  For  any  input  arc  b  of  d,  b  has  a  token  in  iff  d  is  a  merge 

gate  whose  control  input  in  Strip(r^.d)  is  false  (true),  b  is  its 
T  (F)  input  arc,  and  b  has  the  same  token  in  Strip(r^.d) 

(13)+Defs.  3. 3-7+2. 1-5 

(43)  For  any  arc  b,  3p:  b  has  a  token  of  value  (p,W)  in  *»  3p:  b 

has  a  token  of  value  (p,W)  in  1^  and  [b  is  an  output  arc  of  d  and 
d  is  a  Copy  or  Select  =»  b  is  a  number-1  output  arc  of  a  Copy] 

Def.  3.3-9 

(44)  *»  [b  is  an  output  arc  of  d  and  d  is  a  Select  or  Copy  »  b  is  a 

number-1  output  arc  of  a  Copy]  and  either  [3p:  b  is  neither  an 
input  nor  an  output  arc  of  d  and  b  holds  a  token  of  value  (p,W) 
in  Strlp(r^,d)]  or  [3p:  b  is  an  input  arc  of  d  and  holds  a  token 
of  value  (p ,W)  in  r*]  or  [3p:  b  holds  a  token  of  value  (p,W)  in 
rj  and  b  is  an  output  arc  of  d,  ao  d  is  either  a  Copy,  Select, 
or  pi  operator]  Defs.  2. 1-5+2. 2-5 

(45)  •  either 

(45a)  3p:  b  holds  a  token  of  value  (p,W)  in  Strip(r^,d),  and  either  b 

is  not  an  input  or  an  output  arc  of  d,  or  d  is  a  merge  gate  whose 


ft 
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control  input  in  Strip (r^.d)  is  false  (true)  and  b  is  d's  T  (F) 
input  arc,  or 

(45b)  b  is  a  number-1  output  arc  of  d  and  d  is  a  Copy,  or 

(45c)  ]p:  b  is  an  output  arc  of  d,  d  is  a  pi  operator,  and  b  holds  a 

token  of  value  (p,W)  in  r*  (< 

(46)  (45a)  =»  since  a  gate  is  a  pi  actor,  3p:  b  holds  a  token  of  value 
(p,W)  in  r^,  and  either  b  is  not  an  input  or  output  arc  of  d,  or 
d  is  a  merge  gate  whose  control  input  in  is  false  (true)  and 


b  is  its  T  (F)  input  arc 


Def .  3.3-8 


(47)  a  3p':  b  holds  a  token  of  value  (p',W)  in  ^  and  either  b  is  not 

an  input  or  output  arc  of  d,  or  d  is  a  merge  gate  whose  control 
Input  in  r2  is  false  (true)  and  b  is  d's  T  (F)  input  arc 

(14)+Defs .  7. 1-2+3. 4-1 

(48)  «  3p'j  b  holds  a  token  of  value  (p',W)  in  Strip(r2,d),  and  either 

b  is  not  an  input  or  output  arc  of  d,  or  d  is  a  merge  gate  whose 
control  input  in  Strip(r2»d)  Is  false  (true)  and  b  is  its  T  (F) 
input  arc  Def.  3.3-8 

(49)  a  3p' :  b  holds  a  token  of  value  (p'  ,W)  in  rf),  hence  in  T2 

(42)+Defs.  2. 1-5+3. 3-9 

(50)  (45b)  a  3p':  there  is  a  token  of  value  (p',W)  on  b  in  r2  Def.  3.3-9 

(51)  (45c)  »  3p:  there  is  an  input  arc  of  d  which  holds  a  token  of  value 

(p,W)  in  Strip(T^,d),  hence  in  and  if  d  is  a  T-  (F-)gate,  its 
control  input  arc  in  Strip(r^,d),  hence  in  r^,  is  true  (false) 

Defs.  3. 3-8+2. 2-4+2. 1-5 

(52)  a  3p':  there  is  an  input  arc  of  d  which  holds  a  token  of  value 

(p',W)  in  r2,  hence  in  Strip(r2»d),  and  if  d  is  a  T-  (F-)gate,  its 


control  input  in  r^,  hence  in  Stripy, d) ,  is  true  (false) 

(14)+Defs.  3 . 3-8+7 . 1- 2-4-3 .4-1 

(53)  =»  3p':  b  holds  a  token  of  value  (p',W)  in  T®*  hence  in 

Defs.  2. 2-4+2. 1-5+3. 3-9 

(54)  For  any  arc  b,  3p:  b  holds  a  token  of  value  (p,W)  in  *»  3p' :  b 

holds  a  token  of  value  (p' ,W)  in 

(43)+(45)+(46)+(49)+(50)+(51)+(53) 

By  symmetry, 

(55)  For  any  arc  b,  3p:  b  holds  a  token  of  value  (p,W)  in  °  3p':  b 

holds  a  token  of  value  (p' ,W)  in  F|  (43)-(54) 

(56)  For  any  arc  b,  3p:  b  holds  a  token  of  value  (p,W)  in  iff  3p:  b 

holds  a  token  of  value  (p,W)  in  (13)+Def.  3.3-9 

(57)  iff  3p’:  b  holds  a  token  of  value  (p',W)  in  (54)+(55) 

(58)  iff  3p':  b  holds  a  token  of  value  (p',W)  in  r”  Def.  3.3-9 

(59)  The  heap  in  5**^^  is  (13)+(40)+Defs.  7. 1-1+3. 3-9 

(60)  Letting  be  (r^,U^),  for  every  arc  b  in  P,  either 

*  * 

b  is  empty  in  both  and  r2,  or 

*  * 

b  has  tokens  of  non-pointer  value  v  in  and  r2>  or 
there  are  pointers  p^  and  p2  such  that  b  has  a  token  of  value  p^ 
in  T*  and  U”.n^(p2)  -  U^.n^Pj^)  (59)+(41)+Defs.  2. 4-3+2. 4-2 

(61)  For  every  arc  b  in  P,  [b  is  a  data-output  arc  of  Select  S  =»  there  is 

no  pointer  p  such  that  S€Q£(p)  or  S€Q2(p)]  =»  either 
b  is  empty  in  both  F^  and  F^,  or 

b  has  tokens  of  non-pointer  value  v  in  and  F'2,  or 
b  has  a  token  of  value  (p^ ,R)  or  (p^.W)  in  F”  and 
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* 

U!J.n,^(p2)  -  U".n^(p1)  (13)+(40)+Def.  7.1-1 

(62)  a  £ 3p^ :  b  has  a  token  of  value  (p^,W)  in  =»  3p2:  b  has  a  token 

of  value  either  (p2,R)  or  (p2>W)  in  r'2  and  U^.n2(p2>  -  Oj.n'^Pj^) 

»»  b  has  as  token  of  value  (p2,W)  in  r'2  and  UjJ.n'^^j)  -  0£.n£(Pj)] 

(56)+(58) 

(63)  a  [3p^:  b  has  a  token  of  value  (p^,R)  in  r'^  =»  ,2p2:  b  has  a  token 

of  value  (p2>W)  in  r2  =»  3p2:  b  has  a  token  of  value  (p2,R)  in  r*2 
and  U^.n'2(p2)  -  ui*n^(px)  1  (56)+(58) 

(64)  »  Match((b,(r2>U'2,Q”))  »  I*,  (b,(rj,Uj,Qj[)))  Def.  3.4-1 

(65)  For  any  Select  operator  c,  3p2:  c€Q'2(p2)  a  3p2:  c£Q^(p2)  and  there 

is  an  arc  a  in  p  which  holds  a  token  of  value  (p2»W)  in  r2» 
hence  in  rjj  (13)-H)ef.  3.3-9 

(66)  a  3plS  c€Q[(p1)  and  n£(p2)  -  I*(n[(px))  (31)+(34)+(35)+(39) 

(67)  a  a  is  not  a  data-output  arc  of  a  Select  operator  Def.  3.3-9 

(68)  a  there  is  a  pointer  p_  such  that  a  has  a  token  of  value  (p,,W) 

in  rjt  hence  in  r|,  and  Ujj.n^Pj)  U£.n*^(p3) 

(65)+(61)-(63)+Def.  3.3-9 

(69)  a  n2(p2)  -  I*(n[(Pl))  and  nj(p2)  -  I*(nj(P3))  (66)+Def .  2.4-1 

(70)  -n’(p2)  -  i*(n[(Pl))  and  n^(p2)  -  i*(n[(p3))  (59) 

(71)  a  p^  ■  P3,  since  I*,  n^,  and  n2  are  one-to-one  (41)+Def.  2.2-1 

(72)  a  c€Q^(p^)  and  there  is  an  arc  which  has  a  token  of  value  (p^,W) 

in  r’  (66)+(68) 

L  * 

(73)  a  c€Q,^(p1)  and  U^.n'^p^  -  U'^.n^p^  (71)+(68)+Def .  3.3-9 

By  symmetry , 

* 

(74)  3p3:  cfQ^Pj)  -  3p2:  c€Q'2(p2)  and  U£.n2(p2)  -  u£.n£(Pj) 
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(75)  For  any  arc  b,  b  is  a  data-output  arc  of  a  Select  operator  S  and 

there  is  a  p  such  that  either  S€Q^(p)  or  S€Q2(p)  *  there  are 
pointers  px  and  p2  such  that  S*Q"(Pl)  and  S*Q£(p2)  (65)+(73)+(74) 

(76)  =.  b  is  empty  in  both  and  r’2  (40)+Def.  7.1-1 

(77)  For  any  arc  b  in  P,  Match ( (b ,s2 •  2^)  ,  I*,  (b^-a  <p  )) 

(13)+(60)+(64)+(75)+(76)+Def.  3.4-1 

(78)  S2'22(p2  equals  under  I*  (77)+(65)+(73)+(74)+Def .  7.1-2 

A 

This  fundamental  result  will  have  many  Important  applications  in 
this  chapter,  the  first  being  in  the  proof  that  every  job  from  EEd^.M) 
satisfies  the  Pointer  Transparency  Constraint.  This  is  composed  of  one 
Corollary  and  one  Lemma,  whose  statements  are  identical  to  those  developed 
in  the  validation  of  EE(Lgg.S)  and  whose  proofs  are  so  similar  that  only 
the  differences  are  noted  here. 

Corollary  7 . 1-2  Let  be  any  modified  state  for  an  L^g  program  P,  and 
let  2^  be  any  firing  sequence  starting  in  Sy  Let  S2  be  any  modified 
state  equal  to  5^,  and  let  Q2  be  any  firing  sequence  equal  to  Then 

A:  Each  actor  in  P  is  enabled  in  iff  It  is  enabled  in  Sy 
B:  If  the  multiset  AP  of  the  pointer-node  pairs  in  the  Copy  firings 
in  fi2  is  consistent  with  the  heap  in  S2,  then  22  is  a  firing 
sequence  starting  in  S2,  and  &2  is  halted  iff  is  halted. 

Proof:  Identical  to  the  proof  of  Corollary  5.3-1  with  the  following 
exceptions: 

Lines  (1)  through  (4)  should  read 
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(1)  There  is  some  one-to-one  mapping  I  under  which,  for  each  arc  b  in  P, 

Match((b ^2) *  I,  (b,S^)),  and,  letting  the  pool  component  in  be 
Q^,  i*l,2,  for  each  actor  d,  3p:  d6Q^(p)  *•  3p’:  dfC^p')  Def.  7.1-2 

(2)  For  each  actor  d  in  P,  each  input  and  output  arc  of  d  has  a  token  in 

^2  iff  it  has  a  token  in  5^  (1)+Def.  3.4-1 

(3)  Enabling  conditions  for  d  depend  only  on  the  presence  or  absence  of 

tokens  on  d's  input  and  output  arcs  and  on  whether  or  not  d  is 
in  a  pool  Def s.  3. 3-6+2. 1-4 

(4)  d  is  enabled  in  S2  iff  d  is  enabled  in  S  (3)+(2)+(l) 

Line  (15)  is  replaced  by  the  two  lines : 

(15a)  =»  letting  ^2®2  be  »  (P»n)  cannot  be  added  to  n  in  going  from 

U  to  Standardy((Strip(r,d) ,U) ,d)  Def.  3.3-9 

(15b)  =»  letting  U  *  (N.n.SM),  pfdom  n  or  n€N  Table  2.2-1 

A 

Lemma  7.1-1  Let  (Int,J)  be  any  expansion  from  EE(L^,M).  Then  every 
job  J€i/  satisfies  the  Pointer  Transparency  Constraint. 

Proof :  Identical  to  the  proof  of  Lemma  5.3-2  with  the  following 
exceptions: 

Line  (3)  should  read: 

(3)  (Int,»/)  is  the  expansion  of  some  L^  program  P,  which  is  also  an 

program,  and  J  ■  J  for  some  equivalence  class  E  of  initial 
E* 

modified  states  for  P  Defs.  3.3-12+4.3-1+4.3-2 

The  following  substitutions  are  made: 

Thm.  7.1-2  for  Thm.  5.3-1 
Cor.  7.1-2  for  Cor.  5.3-1 


Def.  7.1-2 


for 


Def.  2.4-3 


Def.  3.4-1 


for 
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Def.  2.4-2 


In  the  justifications  for  lines  (7),  (8),  (16),  (18),  (19),  (20),  (31), 
(57),  and  (59). 

For  1*1,2,  the  phrase  "token  with  value  v^"  is  replaced  with  "token 
with  value  v^  (v^R),  or  (v^W)"  in  lines  (6),  (19),  (34),  (37),  (40), 
and  (41) . 

Line  (13)  is  replaced  with  the  two  lines 
(13a)  =»  (p,n)  could  not  be  added  to  IT’  in  going  from  U'  to 

Standard^ (Strip (T' ,d) ,U') ,d)  Table  2.1-1 

(13b)  =»  (p,n)  could  not  be  added  to  17*  in  going  from  5^*0  to  5^*0<p 

Def.  3.3-9 

A 

7,1.3  Relation  Between  Canonical  Computations  in  EEd^.M)  and  EE(LBg,S) 

As  explained  at  the  start  of  this  section,  the  major  new  development 
used  to  validate  EE(LD,M)  as  an  S-S  model  is  the  following  assertion: 

For  any  initial  modified  state  S  and  halted  firing  sequence  2  starting  in 
5,  there  is  an  initial  standard  state  S'  and  halted  firing  sequence  2' 
starting  in  S'  such  that  -nOS’.S’)  is  SOE-inclusive  of  ti(5,2).  The  prime 
candidate  for  S'  is  the  initial  standard  state  corresponding  to  5,  for 
that  is  as  closely  related  to  5  as  any  standard  state  can  be.  It  has 
already  been  shown  that  2  is  a  firing  sequence  starting  in  S'  and  that 
S'  *2m5*2.  Unfortunately,  2  cannot  always  be  used  for  2',  because  it  may 
not  be  a  halted  firing  sequence  starting  in  5'.  This  occurs  in  the  case 
that  5*2  is  hung-up ;  i.e.,  has  a  non-empty  pool  component. 
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J . 1  Hang-Ups 

An  example  of  a  hung-up  modified  state  Is  shown 


A  Hung-Up  Modi 
Figure  7 
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This  depicts  the  result  of  the  firing  sequence  &  •  (C,(p,n)),  U^,  R,  S 
starting  in  some  initial  modified  state  S.  The  firing  of  C  activated  node 
n,  the  pointer  to  which  is  p,  and  left  tokens  of  value  (p,W)  on  C's  output 
arcs.  The  firing  of  had  as  inputs  qt  the  pointer  to  a  second  node  m, 
selector  's',  and  p;  its  effect  was  to  make  n  the  's'-successor  of  m. 

The  firing  of  S  also  had  q  as  its  pointer  input  and  its  selector  input 
happened  to  be  's'.  On  the  standard  interpreter,  that  Select  firing  would 
output  a  token  of  value  p,  enabling  U^l  therefore,  2  starting  in  the 
corresponding  Initial  standard  state  is  not  halted.  On  the  modified 
Interpreter,  however,  the  label  S  is  placed  in  Q(p)  at  the  firing  of  the 
Select,  and  is  not  immediately  removed  because  of  the  presence  of  the 
write  pointer  (p.W).  Therefore,  is  not  enabled  in  S‘Q,  and  2  starting 
in  S  on  the  modified  interpreter  is  not  halted. 

Figure  7.1-2  demonstrates  why  an  unhalted  2  cannot  be  used  as  2* 
(i.e.,  why  t}CS"  ,a)  is  not  necessarily  SOE-indusive  of  tiCS'.g)).  It 
displays  the  same  program  as  above  with  the  addition  of  a  First  and 
another  Select.  A  halted  firing  sequence  for  th;Ls  program  starting  in 
any  initial  modified  state  S  is  2  ■  (C,(p,n)),  U^,  R,  S^,  F.  As  above,  2 
is  not  halted  when  starting  in  the  corresponding  initial  standard  state  S', 
because  there  will  be  tokens  on  both  of  S^'s  output  arcs,  enabling  and 
S^.  Since  2  Is  halted,  the  token  left  on  F's  number-1  output  arc  b  in 
S'Q  causes  r)(£,2)  to  have  an  entry  whose  transfer  has  source 
Source(b,5,2)  ■  Src(Ex(F,l) ,1) .  Because  2  is  not  halted  starting  in  S' , 
however  (and  no  firing  in  2  removes  a  token  from  F's  output  arc),  r)(S',c) 
will  have  no  entry  whose  transfer  has  that  same  source.  I.e.,  e  ■  Ex(F,l) 
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has  output  entries  In  ti(£,2)  but  not  In  r)(S',2).  Thus,  2  cannot  be  used 
as  s' *  for  at  least  the  superficial  reason  that  t)C?’,2)  is  not  SOE- 
incluslve  of  ^(5,2). 

There  Is  a  deeper  reason  that  2  is  unsuitable,  the  reason  for  inclu¬ 
ding  the  requirement  for  inclusive  sets  of  output  entries  in  the  defini¬ 
tion  of  SOE-inclusive:  The  output  entries  of  e  in  r)CS ,2)  may  be  con¬ 
strained  to  have  a  certain  value.  The  technique  being  used  to  prove  that 
they  do  relies  on  the  existence  of  another,  SOE-inclusive  computation  in 
which  the  output  entries  of  e  are  known  to  have  the  constrained  value. 

Then  since  the  output  entries  of  e  in  rj(S,2)  bave  the  same  value,  they 
satisfy  the  constraint.  Clearly  this  deduction  would  break  down  if  there 
were  no  output  entries  of  e  in  the  SOE-inclusive  computation. 

Fortunately,  the  possibility  of  hang-ups  on  the  modified  interpreter 
does  not  invalidate  any  of  the  results  of  this  thesis.  In  particular,  for 
any  halted  firing  sequence  2^  starting  in  any  initial  state  of  an  Lp 
program,  if  S^’2^  Is  hung-up,  then  for  any  other  halted  firing  sequence  22 
starting  in  any  state  S ^  equal  to  S^,  Is  a  hung-up  state  which  is 

equal  to  S^*2j.  I.e.,Lp  programs  are  functional  on  the  modified  inter¬ 
preter,  independent  of  the  issue  of  hang-ups.  Furthermore,  the  transla¬ 
tion  from  Lgy  programs  to  equivalent  programs  (Algorithm  3.4-1) 
produces  programs  which  do  not  hang  up. 

7. 1.3. 2  Discovering  the  SOE-inclusive  Computation 

For  each  initial  modified  state  S,  corresponding  initial  standard 
state  5’,  and  halted  firing  sequence  2  starting  in  S,  T}(S* ,2)  i»  not 
necessarily  SOE-inclusive  of  ti(5,2)«  This  is  because  even  though  2  is  a 


firing  sequence  starting  in  5* ,  it  night  not  be  halted,  if  5*2  is  a  hung¬ 
up  state.  2  is  however  a  prefix  of  a  halted  firing  sequence  2'  starting 
in  5' .  For  any  such  2',  co*  *  t)(5',2')  is  SOE-incluslve  of  co  *  11(5,2) 
(Definition  5.2-8),  as  the  following  argument  shows. 

The  computation  t}(5’  ,2)  is  a  prefix  of  co’ .  It  is  apparent  from 
Algorithm  4.3-1  that  all  structure  operation  executions  initiated  in  co 
are  initiated,  in  the  same  order,  in  ti(5*,2),  hence  in  co' .  For  any  non- 
pi  execution  e  »  Ex(d,k),  let  9<p  be  the  prefix  of  2  (and  2')  in  which  <p 
is  the  kttl  firing  of  d.  Then  there  is  an  entry  Ent(e,j)  of  value  v  in  co 
=»  there  is  a  token  of  value  v  on  d's  number- j  input  arc  in  5*0  which  is 
removed  by  <p  =»  there  is  a  token  of  value  v  on  that  arc  in  5' •  0  which  is 
removed  by  <p  (since  S'  *0^5*0)  =»  there  is  an  entry  Ent(e,j)  of  value  v  in 
co*.  For  any  Copy  execution  Ex(d,k)  initiated  in  co,  there  is  a  kth  firing 
of  operator  d  in  2,  so  there  is  a  prefix  0  of  2  containing  k  firings  of  d 
such  that  there  are  tokens  on  d's  output  arcs  in  5*9.  Each  such  token 
keeps  d  disabled  from  firing  a  k+1  time  until  it  is  removed  (if  ever) . 
Therefore,  either  it  is  removed  by  a  subsequent  firing  in  2  which  precedes 
the  k+l8t  firing  of  d,  or  it  is  left  in  the  final  state  5’S2  and  there  are 
just  k  firings  of  d  in  2.  In  either  case,  there  are  output  entries  of 
Ex(d,k)  in  co  (Lemma  7.1-2  below). 

Finally,  let  f  be  any  entry  in  co,  let  V(f)  be  v,  and  let  the  source 
in  T(f)  be  Src(Ex(d,k) ,1) .  The  target  of  f  is  an  execution  of  an  actor 
in  P  »  there  is  a  prefix  0<p  of  2  such  that  there  is  a  token  of  value  v  on 
an  output  arc  b  of  d  in  5*0  which  is  removed  by  the  immediately-following 
firing,  and  Src(Ex(d,k)  ,i)  -  Source(b,5,9)  -  since  5'*0|j5*9.  there  is  a 
token  on  b  in  S'*0  which  will  be  removed  by  the  next  firing,  and  since 


both  Source(b,5t6)  and  Source(b,5'  ,0)  depend  primarily  on  the  number  of 
firings  of  d  in  6,  they  are  equal  (Lemma  7.1-3  below)  =»  there  is  an  entry 
in  a>*  with  value  v  whose  transfer  has  the  same  source  as  T(f ) .  The  target 
of  f  is  a  dummy  output  execution  *»  there  is  a  token  of  value  v  on  b  in 
and  there  are  k  firings  of  d  in  2  =»  since  S'*2m5*2»  there  is  a  token 
of  value  v  on  b  in  5' *2  =»  d  cannot  fire  a  k+l8t  time  in  2'  until  that 
token  is  removed  =>  either  the  token  is  removed  by  a  subsequent  firing  in 
2'  and  k  firings  of  d  precede  that  removal,  or  the  token  is  left  on  b  in 
S'-  2'  and  there  are  k  firings  of  d  in  2*  =»  there  is  an  entry  in  oo'  with 
value  v  whose  transfer  has  the  same  source  as  T(f) . 

The  two  lemmas  cited  above  are  proven  first,  each  in  a  more  general 
form  which  can  be  used  in  succeeding  sections: 

Lemma  7.1-2  Let  5  be  any  initial  modified  state  for  an  LfiS  program  P,  and 
let  2  be  any  halted  firing  sequence  starting  in  S .  There  is  a  Copy  firing 
(d,(p,n)>  in  2  if  and  only  if  there  are  entries  in  t}(5,2)  with  value  p 
whose  transfers  have  source  Src(Ex(d,k) ,i)  for  some  i,  where  (d,(p,n)) 
is  the  ktl*  firing  of  d  in  2. 

Proof:  Prove  "only  if"  first. 

(1)  Let  3  be  the  prefix  of  2  in  which  the  last  firing  is  (d,(p,n)). 

Then  in  5*3  there  are  tokens  of  value  (p,R)  or  (p,W)  on  d's 
number-1  or  number-2  output  arcs.  Let  v  be  the  value  of  one  of 
those  tokens  Defs.  2.1-2f2.3-l+3 .3-9 

(2)  Let  6  be  the  longest  prefix  of  2  such  that  for  every  prefix  a  of  9, 

|3|  2  | A | ■  there  is  a  token  of  value  v  on  b  in  5*A.  Then  d  is 
not  enabled  in  5* A  Defs.  3. 3-6+2. 1-4 
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(3)  Every  firing  of  d  in  0  is  in  S,  so  there  are  k  firings  of  d  in  0 

(2)+Def .  2.3-1 

(4)  6  is  not  halted  =»  letting  <p  be  such  that  0<p  is  a  prefix  of  2,  <p  is 

not  a  firing  of  d  (2)+Def.  2.3-1+Cor.  7.1-1 

(5)  *»  there  is  not  a  different  token  on  b  in  5*0< p  than  in  S’Q  Def.  3.3-9 

(6)  =>  there  is  no  token  on  b  in  5'6cp;  i.e.,  a  token  of  value  v  was 

removed  in  going  from  S’Q  to  5*0<p  (2) 

(7)  =>  there  is  an  entry  in  t}(5,2)  with  value  p  whose  transfer  has 

source  Src(Ex(d,k) ,i)  for  some  i  (l)+(3)+Alg.  4.3-1 

(8)  0  is  halted  =»  0  «  2  =»  there  is  a  token  on  b  of  value  v  in  S ‘2  =» 

there  is  an  entry  in  r|(5,2)  with  value  p  whose  transfer  has  source 
Src(Ex(d,k) ,i)  for  some  i  (l)+(2)+(3)+Alg.  4.3-1 

Now  prove  "if”. 

(9)  There  is  an  entry  in  T)(S ,2)  with  value  p  whose  transfer  has  source 

Src(Ex(d,k) ,i)  for  some  i,  where  d  is  a  Copy  operator  =»  there  is  a 
prefix  Atp  of  2  containing  exactly  k  firings  of  d  such  that  tokens 
of  value  (p,R)  or  (p,W)  appear  on  d's  number-1  output  arcs  at  the 
transition  from  5 ’A  to  S’  Atp  Lemma  4.3-1 

(10)  =»  <p  is  a  firing  of  d  which  outputs  tokens  of  value  (p,R)  or  (p,W) 

Def.  3.3-9 

(11)  •>  ip  is  (d,(p,n)),  and  is  the  k**1  firing  of  d  in  2  Def.  2.3-1 

A 

Lemma  7 . 1-3  Given  any  L^g  program  P,  let  b  be  any  arc  in  P.  Let  5^  and 
52  he  either  any  two  equal  initial  modified  states  of  P  or  one  initial 
modified  state  and  the  corresponding  Initial  standard  state.  Let  6^  and 
@2  be  any  two  firing  sequences  starting  in  5^  and  52  respectively  such 


i 


If 


that  there  is  a  token  on  b  in  both  S^‘ 6^  and  S 2*02* 

(1)  b  is  an  output  arc  of  an  actor  =»  there  are  the  same  number  of 

firings  of  that  actor  in  6^  and  Q^, 
then  SourceCb.S^ep  “  Source(b,S2, e2> .  Furthermore,  letting 
Source(b,s^,0^)  be  Src(Ex(c' ,n) ,i) ,  if  c'  is  in  DL,  then  b  is  an  output 
arc  of  actor  c  =»  there  are  zero  firings  of  c  in  6^. 

Proof : 

(2)  For  any  prefix  Sip  of  0^  (02),  there  is  a  token  on  b  in  S^-Sip 

(S2*S<p)  which  is  not  on  b  in  *g  (S2*S)  *  b  Is  an  output  arc  of 
an  actor  d  and  either  <p  is  a  firing  of  d  or  there  is  a  pointer  p 
such  that  dfQ(p)  in  S^* S  (S2*S)  and  b  is  a  data-output  arc  of  d 

Defs.  3. 3-9+3. 3-7+2. 1-5 

(3)  b  is  not  an  output  arc  of  any  actor  =»  3i:  b  is  the  number-i  program 

input  arc  of  P  Def.  2.1-1 

(4)  A  there  is  no  prefix  Sip  of  0^  (02>  such  that  there  is  a  token  on  b 

in  5j*Sip  (52*Sip)  which  is  not  on  b  in  S^’E  ( *S)  =*  the  token  on 
b  in  <S2‘02)  is  on  b  in  5X  (SJ  (2) 

(5)  •»  Source (b,S^,0j)  -  Source(b,52,02)  ■  Src(Ex(ID,0) ,i)  (3)+Alg.  4.3-1 

(6)  Assume  b  is  an  output  arc  of  an  actor  d.  Then  b  is  not  a  program 

input  arc  Def.  2.1-1 

(7)  There  is  no  token  on  b  in  S ^  (S^)  »  the  token  on  b  in  S^'9^ 

is  not  on  b  in  5^  (S 2) 

(8)  There  is  a  firing  of  d  in  0^  (Sj)  “  there  is  a  prefix  S  of  0^  (02> 

such  that  d  is  enabled  in  5^‘S  S)  Def.  2.3-1 

(9)  ■*  there  is  no  token  on  b  in  S^’S  ( *s>  «•  the  token  on  b  in  •  e  , 

i 

L.  ,  « 

I*  ••VC'f'.M 
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(52*02)  is  not  on  b  In  S1  (S2>  (6)+Defs.  3. 3-6+2. 1-4 

(10)  There  is  a  token  on  b  In  (S2)  =»  b  is  a  control  arc  a  b  is  not 

a  data-output  arc  of  a  Select  (6)+Defs.  3. 3-5+2. 2-6 

(11)  There  ia  a  token  on  b  in  (S2)  and  there  are  zero  firings  of  d  in 

®1  (0^)  =>  there  is  no  prefix  Sp  of  0^  (0^)  such  that  the  token 
on  b  in  (52"Stp)  is  not  on  b  in  S^‘S  (S2*S)  =»  the  token  on 

b  in  S1'Q1  (5  •©  )  is  on  b  in  (SJ  (10)+(2) 

(12)  The  token  on  b  in  S^*0^  (52‘02)  is  on  b  In  S (S^)  iff  there  is  a 

token  on  b  in  S ^  (52)  and  there  are  zero  firings  of  c  in  0^  (0£) 

(7)+(8)+(9)+(ll) 


(13)  The  token  on  b  in  £^"0^  is  °n  b  in  5^  iff  there  is  a  token  on  b 

in  S 1  and  there  are  zero  firings  of  d  in  0^  (12) 

(14)  iff  there  is  a  token  on  b  in  S 2  Defs.  7 . 1-2+3 . 4-1+3 . 3-5 

(15)  and  there  are  zero  firings  of  d  in  0 2  (6)+(l) 

(16)  iff  the  token  on  b  in  is  on  b  in  S 2  (12) 

(17)  The  token  on  b  in  5^’0^  is  on  b  in  S-^  =»  Source(b„£>^,0^)  is 

Src(Ex(IT,0) ,1)  or  Src(Ex(IF,0) ,1) ,  according  as  the  value  of 
that  token  is  true  or  false  (10)+Alg.  4.3-1 

(18)  a  the  token  on  b  in  ^2*®2  *s  on  ^  *n  S2  (13)+(16) 

(19)  »  Source  (b,^,©^  *  Src(Ex(IT,0) ,1)  or  Src(Ex(IF,0) ,1)  according 

as  the  value  of  that  token  is  true  or  false  (10)+Alg.  4.3-1 

(20)  =»  Source  (b,^*^  •  Source (b,S^,0^)  Defs.  7 . 1-2+3 . 4-1+3 . 3-5 

(21)  The  token  on  b  inSj*0^is  not  on  b  in  **  Source(b,S^,0^)  is 

Src(Ex(d,k^) ,i)  where  k^  is  the  number  of  firings  of  d  in  0^  and 
b  is  in  the  number-1  group  of  output  arcs  of  d  Alg.  3.4-1 


(22)  a  the  token  on  b  inS  *0  is  not  on  b  in  S 


2 


(13)+(16) 
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(23)  «•  Source (b , S2, 02)  “  Src(Ex(d,k  ),i),  where  k2  is  the  number  of 

firings  of  d  in  &2  Alg.  3.4-1 

(24)  -  Source (b,52,02)  -  Source (b  ,SV  6^  (6)+(l) 

(25)  Source (b,52,62)  -  Source(b,Slf 0^  (3)+(5)+(6)+(17)+(20)+(21)+(24) 

(26)  Letting  SourceO*,^,  0^)  be  Src(Ex(c' ,n) ,i) ,  c'fDL  =>  the  token  on  b 

in  is  on  b  in  S  Def.  4.3-1+Alg.  3.4-1 

(27)  =<*  if  b  is  an  output  arc  of  actor  c,  then  there  are  zero  firings 

of  c  in  6X  (6)+(12) 

A 

Theorem  7.1-3  Let  P  be  any  L„„  program.  For  any  initial  modified  state 

'  DO 

S  for  P,  let  S '  be  the  corresponding  initial  standard  state,  and  let  £ 
be  any  halted  firing  sequence  starting  in  £.  Then  there  is  a  baited  . 
firing  sequence  S'  starting  in  S’  which  has  2  as  a  prefix  such  that 
T}(S'  ,2')  is  SOE- inclusive  of  t](S,2)  . 


Proof;  (The  essence  of  the  proof  has  already  been  expressed;  the  details 
may  be  found  in  Appendix  E.) 


As  outlined  at  the  start  of  this  section,  there  is  only  a  small 

difference  between  the  technique  for  validating  EE(L^,M)  as  an  S-S  model 

and  that  for  EE(L  ,S):  the  chain  from  any  pair  of  computations  a.  and  a„ 
fib  X  z 

in  a  job  to  a  pair  of  computations  and  a>2  known  to  satisfy  the  last 
five  constraints  has  one  more  link.  Consequently,  the  proof  of  the 
Theorem  below  is  so  similar  to  that  for  Theorem  5.3-1  that  it  has  been 
removed  to  Appendix  E. 


Theorem  7.1-4 


EE(Lp,M)  is  a  Structure-as-Storage  model. 


Q .B.D . 


E 
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7.2  Verification  That  EE(Lp,M)  Satisfies  the  Determinacy  Axioms 

This  section  presents  the  proofs  that  any  expansion  (Int,J)  from 
EE(L^,M)  satisfies  the  seven  Determinacy  Axioms  presented  in  Section  6.2. 
Section  7.2.1  covers  the  first  four  axioms;  each  succeeding  subsection 
treats  one  of  the  remaining  axioms:  in  order  of  increasing  difficulty, 
freedom  from  conflict,  commutativity,  and  persistence.  It  is  assumed 
throughout  that  P  is  the  L^  program  of  which  (Int,J)  is  the  expansion 
and  that  Int  *  (St,  /,IE). 

7.2-1  The  First  Four  Axioms 

The  demonstration  that  (Int,J)  satisfies  these  Axioms  is  simple: 

For  any  job  J€J,  each  computation  in  J  is  causal  and  J  has  the  Prefix 
Property  by  construction.  All  actions  except  the  eight  structure  oper¬ 
ations  are  deterministic  because  all  actors  in  an  Lp  program  except 
structure  operators  have  functions  associated  with  them.  For  any  e€IE, 
there  is  an  arc  b  in  P  such  that  the  values  of  the  output  entries  of  e  in 
any  two  computations  in  a  job  equal  the  values  of  the  tokens  on  b  in  two 
equal  initial  states  of  P;  if  either  value  is  not  a  pointer,  then  they 
are  the  same. 

Lemma  7.2-1  Every  expansion  (Int,J)  from  EE(LD>M)  satisfies  the  first 
four  Determinacy  Axioms. 

Proof : 

(1)  There  is  an  L  program  P  of  which  (Int,J)  is  an  expansion  Def.  4.3-1 

D 

(2)  Let  a  be  any  computation  in  any  job  J Then  there  is  an  initial 

modified  state  S  of  P  and  a  halted  firing  sequence  £  starting  in 
S  such  that  a  is  a  prefix  of  some  and  p  Itself  is  in  J 


-354- 


(1)+Def.  4.3-3 

(3)  p  Is  a  causal  permutation  of  t](S,S2)  (2)+Def.  4.3-5 

(4)  J  is  a  job  for  Int,  so  p  and  a  are  computations  for  Int 

Defs.  4. 2-2+4. 2-3 

(5)  Let  yf  be  any  prefix  of  a.  Then  yf  is  a  prefix  of  p  (2) 

(6)  Let  e  be  the  execution  of  which  f  is  an  output  entry.  Then  e  is 

initiated  in  y  with  respect  to  Int  (3)+(4)+(5)+Def .  4.2-7 

(7)  a  is  causal  with  respect  to  Int  (5)+(6)+(4)+Def .  4.2-7 

(8)  All  prefixes  of  p  are  in  J  (2)+Def.  4.3-3 

(9)  All  prefixes  of  a  are  prefixes  of  p  (2) 

(10)  J  has  the  Prefix  Property  (9)+(8)+Def.  4.2-7 

(11)  Let  and  a2  he  any  two  (not  necessarily  distinct)  computations  in 

any  two  jobs  and  J2  in  J.  Then  there  are  two  initial  states 
5^  and  for  P  and  two  halted  firing  sequences  and  ffi2 
starting  in  and  S 2  such  that,  for  i=l,2,  is  a  prefix  of  a 
permutation  p^  of  ■  ^(£^,2^)  Defs.  4. 3-3+4. 3-5 

(12)  Let  Int  =  (St,  /,IE).  Let  e^  *  Ex(d^,k^)  and  e2  ■  Ex(d2,k2)  be 

any  two  executions  not  in  IE  such  that  /(d^)  =  / (d 2)  »  a  is  not  a 
structure  operation  and,  for  i=l,2,  e^  has  output  entries  in  a^. 
Then  e^  is  initiated  in  wrt  Int;  i.e.,  there  are  In(a)  input 
entries  to  e^  in  (7)+(4)+Def.  4.2-7 

(13)  Since  e^  has  output  entries  in  a^,  it  has  output  entries  in  so 

dA  is  the  label  of  an  actor  in  P  (12)+Alg.  4.3-1 

(14)  Since  that  actor  is  not  a  structure  operator,  the  only  transitions 


at  which  tokens  appear  on  its  output  arcs  are  those  caused  by 
firing  it  (13)+Def .  3.3-9 
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(15)  a  is  a  function;  i.e.,  the  values  of  the  tokens  placed  on  d^'s 

output  arcs  at  any  firing  depend  only  on  the  values  of  the  tokens 
removed  from  d^'s  input  arcs  at  that  firing 

(12)+(13)+(1)+Defs.  3.3-12+2.2-3+2.1-2 

(16)  There  are  at  most  In(a)  input  entries  to  e^  in  {3^,  so  p  and  hence 

have  the  same  set  of  input  entries  to  e^  as  does 

(ll)+(4)+(12)+Def.  4.2-6 

(17)  For  all  j,  there  is  an  entry  Ent(eltj)  in  iff  there  is  an  entry 

Ent(e^,j)  in  a^,  and  if  so,  those  entries'  values  are  equal  => 

for  all  j,  there  is  an  entry  Ent(e^,j)  in  iff  there  is  an 
entry  Ent(e2»j)  in  ,  and  if  so,  their  values  are  equal  (16) 

(18)  =»  the  kj^*1  firing  of  d^  in  and  the  k2th  firing  of  d2  in 

remove  tokens  of  the  same  values  from  the  same  set  of  input  arcs 

(13)+Alg.  4.3-1 

(19)  =»  those  firings  place  tokens  of  the  same  value  on  the  output  arcs 

of  d^  and  d2  (15) 

(20)  =»  for  any  i,  the  value  of  Src(e^,i)  in  co^,  if  any,  equals  the  value 

of  Src(e2*i)  in  a^,  if  any  (14)+Lemma  4.3-1+Def.  4.2-6 

(21)  =»  for  any  i,  the  value  of  Src(e^,i)  in  a^,  if  any,  equals  the  value 

of  Src(e2»i)  in  a^,  if  any  (11) 

(22)  All  actions  except  the  structure  operations  are  deterministic 

(ll)+(12)+(17)+(21)+Def .  6.2-1 

(23)  Let  cij  and  be  any  two  computations  in  the  same  job  JfJ.  Then 

there  is  an  equivalence  class  E  of  initial  modified  states  for  P 

such  that  J  ■  J  Def.  4.3-2 

E 
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(2A)  There  are  two  equal  Initial  modified  states  for  P,  and  and 

two  halted  firing  sequences  sij  and  starting  in  ^  and  such 

that,  for  J*l,2,  <ij  is  a  prefix  of  a  permutation  of  u>j  *  r)(,S’j,^j) 

(23)-H)efs ,  A.  3-3+4. 3-5 

(25)  Let  e  be  any  execution  in  IF,.  For  any  1,  the  value  of  Src(e,l)  in 

Uj  equals  the  value  of  Src(e,i)  in  iOj  (2A)+Def.  A. 2-6 

(26)  e  is  either  Ex(II),0),  Ex(IT,0),  or  Kx(lF,0)  (25)+Def.  A. 3-2 

(27)  e  •  F,x(IT,Q)  (e  ■  F.x(IF,0))  the  value  of  Src(e.i)  in  uv^  and  is 

true  (false)  (2A)+Alg.  A. 3-1 

(27)  e  ■  Ex(ID,Q)  ■>*  the  value  of  Src(e,i)  in  w.  (uv)  is  the  value  of 
the  token  on  the  number-i  program  input  arc  of  P  in  ^  (S ^) 

(2A)+Alg.  A. 3-1 

(29)  «•  the  value  of  Src(e,i)  in  (0^  is  not  a  pointer  iff  the  value  of 

Src(e,i)  in  is  not  a  pointer,  and  if  the  values  are  not 
pointers,  they  are  equal  (2A)+Defs.  7.1-2+3.A-1 

(30)  The  value  of  Src(e,i)  in  is  not  a  pointer  iff  the  value  of 

Src(e,i)  in  Uj  is  not  a  pointer,  and  if  those  values  are  not 
pointers,  they  are  equal  (26)+(27)+(28)+(29)+(25) 

(31)  (Int,J)  satisfies  the  first  four  Determlnacy  Axioms 

(2)+(7)+(10)+(22)+(23)+(30)+Axiom«  6.2-1-6.2-A 

A 

7.2.2  Freedom  From  Conflict 

This  axiom  concerns  every  two  computations  agf  and  a?g  in  a  job  in 
which  T(f)  •  T(f),  T(g)  -  T(g) ,  and  g  and  f  initiate  distinct  executions 
e^  *  Ex^j.kj)  and  e^  ■  Ex(d^,kj),  respectively.  It  asserts  that  it  is 
not  the  case  that  in  agf,  F.nt(e^,l)  and  Entiej,!)  are  in  the  same  access 
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history  and  e^  is  in  the  reach  R^).  There  are  two  equal  initial  modi¬ 
fied  states  S  and  S'  for  P,  and  two  halted  firing  sequences  2  starting  in 
5  and  2'  starting  in  5',  such  that  agf  is  a  prefix  of  some  0  and  afg 

is  a  prefix  of  some  |3' €J  ,  , .  Since  $(p)  (4>( p * ) )  is  the  reduction  of  2 

O  )  JQ 

(2'),  *l>(agf)  (<i>(afg))  is  the  reduction  of  a  prefix  of  2  (S2* )  (Lemma  7.2-2 
below).  Since,  for  i-1,2,  serves  as  an  index  of  executions  of  d^ 
(Corollary  4.3-1),  is  the  k  ^  execution  of  d^  to  initiate  in  each  of 

agf  and  afg.  Therefore,  the  prefix  of  2  (2*)  whose  reduction  is  <l>(agf) 

(4>(afg) )  is  ( 0* tp^tp^) »  in  which,  for  i-1,2,  ^  (<p^)  is  the  kj.* 

firing  of  d^;  furthermore,  0  and  0*  have  the  same  reduction  <i>(a)  ,  so  they 
are  equal  firing  sequences. 

Ent(e^,l)  and  Ent(e2,l)  are  in  the  same  access  history  in  agf  iff 
they  have  the  same  value  iff  and  <pg  have  equal  number-1  pointer  inputs. 
Given  that,  e^  is  in  R(e2)  iff  the  actions  /(d^)  and  1^2)  are  one  of  a 
certain  few  combinations,  and,  possibly,  e^  and  e2  have  equal  selector 
Inputs.  This  in  turn  is  iff  <p^  and  cpj  are  firings  of  actors  of  that  same 

combination  of  actions,  and,  possibly,  have  the  same  selector  inputs  in 

0<{>2<Pi*  Comparing  the  definitions  of  reach  with  Table  3.1-1,  Ent(e^,l)  and 
Ent^.l)  are  in  the  same  access  history  and  e^€R(e2)  iff  <p^  and  <p^  poten¬ 
tially  interfere  in 

The  Commutativity  Axiom  also  concerns  two  computations  agf  and  afg 
in  the  same  job  in  which  g  and  f  may  initiate  distinct  executions.  The 
above  result,  therefore,  is  pertinent  to  both  axioms,  and  so  is  stated 
separately  below  as  Lemma  7.2-3;  the  essence  of  its  proof  has  been  con¬ 
veyed  well  enough  above  that  the  details  are  deferred  to  Appendix  E. 


I 


-358- 


Lemma  7.2-2  Let  S  be  any  Initial  interpreter  state  and  let  2  be  any 
halted  firing  sequence  starting  in  S.  Let  a  be  any  prefix  of  any 
computation  p  in  J  ,  and  let  6  be  the  prefix  of  2  whose  length  equals 
the  length  of  $(<1).  Then  the  reduction  of  0  is  $(a). 

Proof : 

(1)  #(p)  is  the  reduction  of  2  Def.  4.3-5 

(2)  A  prefix  of  the  reduction  of  2  Is  the  reduction  of  a  prefix  of  2 

Def.  2.4-5 

(3)  3>(a)  is  a  prefix  of  $(p)  Def.  4.3-4 

(4)  $(a)  is  the  reduction  of  a  prefix  A  of  2  (3)+(2)+(l) 

(5)  The  length  of  a  equals  the  length  of  the  reduction  oi  A  Def.  2.4-5 

(6)  <J>(a)  is  the  reduction  of  that  prefix  of  2  whose  length  is  the  same 

as  the  length  of  $(a),  i.e.,8  (4)+(5) 

A 

Lemma  7,2-3  For  any  equivalence  class  E  of  initial  modified  states  for 
an  L^g  program  P,  let  J  be  J^.  Let  Int(P)  be  (St,  /, IE).  Assume  there  are 
two  computations  agf  and  afg  in  J  such  that  T(f)  -  T(f) ,  T(g)  *  T(g) ,  and 
f  and  g  initiate  distinct  executions  e^  -  Ex(d^.k^)  and  e ^  m  8x^2,^)  in 
agf,  where  d^  and  d^  are  in  St-DL.  Let  S  and  2  (S'  and  2')  be  the  state 
in  E  and  halted  firing  sequence  starting  in  that  state  such  that  agf  (a?g) 

is  a  prefix  of  a  computation  in  J  (J_,  Then  there  are  prefixes 

o,2  0,2 

0^2^!  SandO'cpJcp^  of  2'  ,  whose  reductions  are  4>(agf)  and  $(afg) »  such 
that  ©'  equals  9  and  for  i-1,2,  <p  (<pp  is  the  k^**1  firing  of  d^. 
Furthermore,  and  <p^  potentially  interfere  in  iff  EntCe^.l)  and 

EntCe^tl)  are  in  the  same  access  history,  and  e^  is  in  R^),  in  agf. 

A 
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The  proof  that  each  expansion  in  EE(Lp,M)  satisfies  the  freedom- 
from-conflict  axiom  is  by  contradiction:  By  Lemma  7.2-3,  if  the  axiom  is 
not  satisfied,  there  are  two  equal  initial  states  S  and  S'  and  two  firing 
sequences  G^ip^  starting  in  S  and  starting  in  S'  in  which,  for 

1*1,2,  (pi  (tpp  is  the  k^**1  firing  of  d^;  furthermore.  S'  equals  S  and  <p^ 
and  potentially  interfere  in  ^2^1  *  By  Condition,  <p^ 

and  (p2  are  not  in  the  same  blocking  group  in  G^tp^.  It  is  argued  at 
length  in  Section  3.2  that  any  two  potentially-interfering  firings  in 
distinct  blocking  groups  in  any  firing  sequence  starting  in  S  are 
sequenced  by  S.  I.e.,  the  k^*1  firing  of  d^  must  follow  the  k2th  firing 
of  d2  in  all  firing  sequences  starting  in  any  state  equal  to  S.  There¬ 
fore,  0'(pp>2  cannot  be  a  firing  sequence  starting  in  S*;  hence  a  contra¬ 
diction. 

This  informal  argument  is  presented  rigorously  in  the  following: 

Theorem  7 ■ 2-1  Every  expansion  (Int,J)  from  EE(Lp,M)  satisfies  the 
Freedom-from-conf lict  Axiom. 

Proof :  By  contradiction. 

(1)  Let  P  be  the  L^  program  of  which  (Int,J)  is  an  expansion.  Assume 

that  the  Axiom  does  not  hold  for  (Int,J) 

(2)  There  is  a  computation  agf  in  a  job  J iJ  such  that 

(2a)  f  and  g  initiate  distinct  executions  e^  and ' e2  respectively  In  agf, 

(2b)  Ent(eltl)  and  Ent^.l)  are  in  the  same  access  history  in  agf, 

(2c)  e^  is  in  the  reach  R^)  in  agf,  and 

(2d)  there  is  a  computation  afg  in  J  with  T(f)  ■  T(f)  and  T(g)  •  T(g) 


(l)+Axiom  6.2-7 
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(3)  There  is  an  equivalence  class  E  of  initial  modified  states  for  P 

such  that  J  *  J  Defs.  4. 3-1+4. 3-2 

E 

(4)  There  is  an  initial  modified  state  S  in  E  and  a  halted  firing 

sequence  2  starting  in  5  such  that  agf  is  a  prefix  of  some  p 

in  J5  (2)+(3)+Def .  4.3-3 

(5)  There  is  an  initial  modified  state  5*  in  E  and  halted  firing 

sequence  2'  starting  in  5'  such  that  afg  is  a  prefix  of  some  p' 
in  J_,  .  (2d)+(3)+Def .  4.3-3 

S  9  Sc 

(6)  J  is  a  job  for  Int  -  Int(P)  -  (St,  /, IE)  (2)+Defs.  4. 2-2+4. 3-2 

(7)  agf  and  afg  are  both  computations  for  lnt(P)  (2)+(6)+Def.  4.2-3 

(8)  For  1*1,2,  let  e^  ■  Extd^.k^).  Then  l(d^)  and  /(d are  both 

structure  operations,  and  the  latter  is  an  Assign,  Update,  or 
Delete  (2c)+(7)+Defs.  5. 1-6+5. 1-8 

(9)  d^  and  d^  are  both  in  St-DL  (7)+(8)+Def.  4.3-2 

(10)  There  are  prefixes  of  2  and  G’cpj^  of  2* ,  whose  reductions 

are  $(agf)  and  $(afg),  such  that  6'  equals  8  and,  for  1*1,2,  <p^ 

(<p|)  is  the  firing  of  d^.  Furthermore,  <p^  and  <p2  potentially 

interfere  in  iff  Ent(e^,l)  and  Ent(e2»l)  ate  in  the  same 

access  history,  and  e^  is  in  R(e2),  in  agf 

(3)+(7)+(2)+(2d)+(2a)+(8)+(9)+(4)+(5)+Lemma  7.2-3 

(11)  <p^  and  <p2  potentially  interfere  in  G^tp^  (10)+(2b)+(2c) 

(12)  P  satisfies  the  Determinacy  Condition  (1)+Def.  3.3-12 

(13)  If  <p^  and  <p2  are  in  the  same  blocking  group  in  2,  then  in  any  firing 

sequence  2'  starting  in  any  state  S*  equal  to  S,  the  k^**  firing 
of  dx  follows  the  k2th  firing  of  d2  (12)+(11)+(10)+Def .  3.3-11 

(14)  There  is  an  S'  equal  to  S  and  an  2'  starting  in  5'  in  which  the  k^ 
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firing  of  d^  precedes  the  firing  of  dj  (5)+(4)+(10) 

(15)  <p^  and  q>j  are  in  distinct  blocking  groups  in  2  (13)+(14) 

(16)  The  actor  labelled  d2  is  a  write-class  operator (8)+Oef 8.  4. 3-2+3. 1-2 

(17)  P  satisfies  the  Read-Only  Condition  (1)+Def.  3.3-12 

(18)  d^  is  in  the  m.p.d.g.  G(K)  only  if  K  -  K(C,1)  for  some  Copy  operator 

C  (16)+(17)+Def.  3.3-2 

(19)  P  is  an  Lgg  program  (1)+Def.  3.3-12 

(20)  P  satisfies  the  Static/Dynamic  Group  Relationship  (19)+Lemma  3.3-1 

(21)  Exactly  one  of  the  following  statements  is  true: 

(21a)  There  is  exactly  one  integer  i  such  that  q^fSB  (ID,i) 

(21b)  There  is  exactly  one  Select  operator  S,  one  integer  n  and  one 
integer  1  such  that  q>2€SB^(S,n,i) 

(21c)  There  is  exactly  one  Copy  operator  C  and  one  Integer  n  such  that 

q^CSB^C.n,  2) 

(21d)  There  is  exactly  one  Copy  operator  C  and  one  integer  n  such  that 
q>2€SB^(C,n,  1) 

Furthermore,  each  of  (21a),  (21b),  and  (21c)  =»  d€G(K)  where  K  is 
not  K(C,1)  for  a  Copy  operator  C  (4)+(10)+(20)+Def .  3.3-13 

(22)  There  is  exactly  one  Copy  operator  C  and  one  integer  n  such  that 

<P2€SBa(C,n,l)  (21)+(18) 

(23)  The  n^  token  to  appear  on  C's  number-1  output  arcs  has  the  same 

value  as  the  token  removed  from  dj’s  primary  input  arc  by  q^ 

(22)+(20)+Def .  3.3-13 

(24)  For  any  Copy  operator  C,  there  is  no  token  on  C's  output  arcs  in  S 


Defa.  3. 3-5+2. 2-6 
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(25)  A  transition  from  empty  to  full  condition  for  an  output  arc  of  C 

occurs  just  at  every  firing  of  C  Defs.  3 . 3-6+2 . 1-4+3 . 3-9 

(26)  The  n1*1  token  to  appear  on  an  output  arc  of  C  is  output  by  the  nC^ 

firing  of  C  (24)+(25) 

(27)  There  is  a  pointer  p  such  that  the  value  of  the  token  removed  from 

d2*s  primary  input  arc  by  ipj*  as  well  as  the  tokens  placed  on  C's 
number-1  group  of  output  arcs  at  its  nC^  firing,  is  (p,W) 

(23)+(26)+Def .  3.3-9 

(28)  (j>^  has  the  same  primary  input  as  <p2  (ll)+Defs.  3. 1-2+3. 2-1 

(29)  tp.  is  not  in  SB  (C,n,l)  or  SB  (C,n,2)  (22)+(15)+Bef .  3.3-10 

^  M  it 

(30)  There  is  a  Copy  operator  C*  and  integer  n'  such  that  <p^€SB^(c’ ,n',l) 

or  ^€88  (C.', nV, 2)  «  O'  *  C  V  n*  *  n  (29) 

(31)  A  the  value  of  the  token  removed  by  <p^  from  d^’ s  primary  input  arc 

equals  the  value  of  the  n,th  token  to  appear  on  the  number-1 
or  number-2  output  arcs  of  C'  (20)+Def.  3.3-13 

(32)  =»  the  n,th  firing  of  C*  places  tokens  of  value  (p,R)  or  (p,W)  on  the 

output  arcs  of  C*  (28)+(27)+(26)-H)ef .  3.3-9 

(33)  =»  letting  be  the  prefix  of  Q  In  which  <p  is  the  later  of  the 

nth  firing  of  C  and  the  n,tl1  firing  of  C',  a  Copy  firing  in  A 
outputs  the  same  pointer  p  as  (pc  (27) 

(34)  *»  p(dom  n  in  5’A  (30)+(4)+Lemma  5.2-m>ef.  2.3-1 

(35)  ■»  <pc  could  not  output  (p,R)  or  (p,W)  Defs.  3. 3-9+2. 2-5 

(36)  For  any  Copy  operator  C'  and  Integer  n*,  <p^^SB  (C^n*,!), 

<PjlSB  (Cv ,nf,2),  and  [Cf  *  C  v  n'  #  n  «*  p  is  not  output  by  the 
n,th  firing  of  C’]  (30)+(32)+(35) 


crrcr;  • 
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(37)  3i:  (p^^SB  (ID,i)  =»  there  is  a  token  of  value  (p,R)  or  (p,W)  on  a 


program  input  arc  in  5 

(38)  =»  p(dom  n  in  S 


(28)+(27)+(20)+Def .  3.3-13 


Defa.  3. 3-5+2. 2-6 


(39)  Since  there  is  a  prefix  Acpr  of  a  in  which  <p  *  (C,(p,n))  for  some 

n,  and  |\|  <  |Acpg|»  p^dom  n  in  5  (4)+(27)+Lemma  5.2-1+Def.  2.3-1 

(40)  iSi:  <p^€SB  (ID»i)  (37)+(38)+(39) 

(41)  There  is  a  Select  operator  S  and  integers  j  and  i  such  that 


<Pl€SB2(s,j,i) 


(36)+(40)+(20)+Def .  3.3-13 


(42)  The  j  tokens  to  appear  on  S's  number-i  output  arcs  in  2  have  value 

(p,R)  or  (p,W)  and  that  appearance  does  not  follow  the  appearance 
of  the  token  removed  by  from  d^'s  primary  input  arc 

(41)+(28)+(27)+(20)+Def.  3.3-13 

(43)  d^  is  enabled  in  S'' 0'  and  d2  is  enabled  in 5*0 

(4)+(5)+(10)+Def.  2.3-1 

(44)  There  is  a  token  on  d^'s  primary  input  arc  in  S' '6' 


(45)  S'" Q'  and  S’ 0  are  equal  states 


(43)+Defs.  3. 3-6+2. 1-4 
(4)+(5)+(10)+Thm.  7.1-2 


(46)  There  is  a  token  on  d^'s  primary  input  arc  b  in  5*0 

(44 )+(45 )+Def s .  7. 1-2+3. 4-1 

(47)  b  is  jjpt  an  output  arc  of  (43)+(46)+Defs.  3. 3-6+2. 1-4 

(48)  b  is  not  a  data-output  arc  of  a  Select  operator  which  is  in  a  pool 


in  5*0 


(46)+Cor.  7.1-1 


(49)  No  token  can  appear  on  b  in  the  transition  from  5*0  to  S'&p^l  i.e., 
the  token  removed  by  is  on  d^'s  primary  input  arc  in  5*0 

(46)+(47)+(48)+Defs.  3. 3-9+2. 1-5 
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(50)  There  are  prefixes  of  0  such  that  there  are  tokens  of  value  (p,R) 

on  S's  output  arcs  after  those  prefixes.  Let  bp^  be  the 
shortest  of  these;  i.e.,  there  are  tokens  of  value  (p,R)  on  S's 
output  arcs  In  S’ b but  not  in  5‘A  (49)+(42)+Def .  3.3-9 

(51)  Let  A  be  the  actor  of  which  <p^  is  a  firing.  Then  S  is  in  Q(p)  in 

Fire(S’A,A)  and  there  is  no  token  with  value  (p,W)  on  an  arc  in 
S-b pA  (50)+Def.  3.3-9 

(52)  There  is  a  prefix  Scps  of  in  which  <pg  is  a  firing  of  S  such  that, 

for  -  (r.U),  there  are  tokens  of  value  p  on  S's  output  arcs 
in  Standardr((Strip(r,S),U),S)  (51)+Defs.  3. 3-5+3. 3-9 

(53)  There  is  some  node  n  such  that  IT(p)€SM(n)  in  S’ S  (51)+Def.  2.2-5 

(54)  Let  Sg  be  the  standard  state  corresponding  to  S.  Then  S  is  a 

firing  sequence  starting  in  Sg  and  Sg*S|j£*S  Thm.  7.1-1 

(55)  The  heap  in  S’S  is  identical  to  that  in  Sg*S  (54)+Def.  7.1-1 

(56)  There  is  some  node  n  such  that  n(p)  is  in  SM(n)  in  Sg*S  (55)+(53) 

(57)  p€dom  n  in  Sg*S,  hence  p€dom  IT  in  S’ S  (55)+(56)+Tht9.  2.2-1 

(58)  fl  does  not  contain  the  nth  firing  of  C  «*  S  does  not  contain  the  nth 

firing  of  C  »  p/dom  II  in  S’ S  (52)+(27)+(4)+Lennna  5.2-1+Def.  2.3-1 

(59)  d  does  contain  the  nth  firing  of  C  (58)+(57) 

(60)  There  is  a  prefix  X<p  of  Q  with  |a|  c  |x|  <  J 0 1  such  that  there  is 

no  token  with  value  (p,W)  in  S'X  but  there  is  one  in  S'Xip 

(51)+(27)+(10) 

(61)  That  token  can  appear  only  on  an  output  arc  of  a  Copy  or  pi 

operator  (not  a  Select) ,  and  then  only  if  $  is  a  firing  of  that 


operator 


Defs.  3. 3-9+2. 2-5 
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(62)  <p  is  a  pi  firing  9  there  is  a  token  of  value  (p,W)  on  an  arc  in  S'X 

Defs.  3. 3-9+2. 2-4+3. 3-8 

(63)  <p  is  a  Copy  firing  which  outputs  (p,W)  but  is  not  the  n^  firing  of 

C  (61)+(62)+(60)+(59) 

Since  (1)  leads  to  a  contradiction  between  (63)  and  (36) ,  (1)  is  false 

(64)  (Int,J)  satisfies  the  Freedom-from-conf lict  Axiom 

A 

7.2.3  Commutativity 

This  axiom  asserts  that  for  any  computation  agf6  in  a  job  J(  J such 

that  afg6  is  also  in  J,  ETj(afg6)  “  ETj(agf6).  For  any  transfer  t  in 

ETj(agffi) ,  there  is  an  entry  h  with  T(h)  *  t  such  that  agf6h  is  in  J. 

By  construction  of  J,  there  is  a  y  such  that  p  *  agf6hy  is  in  J  for 

x  *“1 

some  initial  modified  state  S ^  and  halted  firing  sequence  starting  in 

S^.  There  is  also  an  initial  modified  state  5^  equal  to  and  halted 

firing  sequence  starting  in  5^  such  that  afg6  is  a  prefix  of  some  p' 

in  JQ  .  The  thrust  of  the  proof  is  to  show  that  there  is  a  halted 
°2  »*2 

firing  sequence  2'  starting  in  S.  such  that  afgShy  is  in  J  it  then 

A  O  px 

follows  that  afgfih  is  in  J,  so  T(h)  ■  t  is  in  ETj(afg6).  By  symmetry, 
every  transfer  in  ETj(afg6)  is  in  ETj(agf6) ,  so  ETj(afg6)  *  ETj(agf6). 

For  afg6hv  to  be  in  Jc  it  must  be  causal  (Definition  4.3-5). 

Both  p*  and  p  are  known  to  be  causal.  For  any  prefix  ek  of  afgShy  in 

which  k  is  an  output  entry  of  execution  e,  if  ek  is  a  prefix  of  afg6,  then 

e  is  initiated  in  e  by  the  causality  of  p'.  Otherwise,  there  is  an  t  such 
that  ek  a  afgStk.  This  implies  that  agf6tk  is  a  prefix  of  p,  so  the 
initiating  entry  of  e  is  in  agfSc,.  Therefore,  e  is  also  Initiated  in 
afg6c  *  e,  so  afgShy  is  causal. 
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The  remainder  of  the  proof  is  divided  into  two  cases. 

Case  I:  f  and  g  do  not  initiate  distinct  executions  of  actors  in  P. 

In  this  case,  2*  ■  2^-  Since  p  is  a  permutation  of  r)(S^,2^)»  afg6hy 
is  a  (causal)  permutation  of  r}(£^,2' )  •  If  neither  of  f  and  g  initiates  an 
execution  in  agf,  then  neither  initiates  an  execution  in  afg,  so 
<f>(afg)  ■  4>(a)  ■  $(agf).  If  one  of  f  and  g  initiates  an  execution 
e  -  Ex(d,k)  in  agf,  then  one  of  f  and  g  initiates  e  in  afg  (if  they  are 
both  input  entries  to  e,  then  the  initiating  entry  in  either  computation 
is  the  later  one).  Then  $(afg)  "  4>(agf)  *  $(a)(p,  where  <p  is  a  firing  of 
d.  It  is  known  that  $(p)  =  $(agf6hy)  is  the  reduction  of  2^.  The  same 
firings  which  follow  <t>(ogf)  in  4>(agf6hY)  also  follow  <i>(afg)  in  $(afg6hy)  » 
and  do  so  in  the  same  order.  Since  <f>(agf)  “  $(afg),  ^afgShy)  =  $>(agf6hY>, 
which  is  $(p),  the  reduction  of  2^  ■  2'  (Lemma  7.2-4  below). 

The  final  condition  which  must  be  met  for  afgfihy  to  be  in  J  , 

&  ^  tSc 

concerns  each  of  its  prefixes  ek.  First  the  following  observation  is  made 
about  ek  and  the  prefix  4  of  S'  whose  reduction  is  $(e):  If  ek  is  a 
prefix  of  ofg6,  then  e  is  a  prefix  of p',  so  letting  ^  he  the  prefix  of  2g 
whose  reduction  is  #(e),  Aj  e<Iua^8  45  hence  $2^2  e<lua*s  £j/A«  Otherwise, 
as  noted  above,  there  is  a  prefix  e’k  of  p  ■  agfShy  such  that  $(e')  ■  $(e); 
therefore,  letting  A^  he  the  prefix  of  2^  whose  reduction  is  f>(e'),  A^ 
equals  A,  so  "A^  equals  S^' A.  I.e.,  afgbhy  is  a  causal  permutation  of 
■nCS^, 2’),  4,(afg6hY)  is  the  reduction  of  2'»  and  for  each  prefix  ek  of 
afgShy*  letting  A  he  the  prefix  of  2'  whose  reduction  is  $(e)>  there  is  an 
initial  state  S'  equal  to  S  and  a  halted  firing  sequence  2  starting  in  S' , 

and  there  is  a  prefix  e'k  of  some  ,  .  such  that,  letting  a'  he  the 

S  tS2 

prefix  of  2  whose  reduction  is  $(e*)*  S' ‘ &'  equals  5^*A* 


-  | 
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Completing  the  proof  in  this  case  requires  considering  the  destina¬ 
tion  Dst(Ex(d,m) ,j)  in  T(k) .  If  dlDL,  then  because  cfJ  ,  ,  d  is  enabled 

S 

in  S' •&' ,  and  if  it  is  a  merge  gate,  and  its  number-j  input  arc  is  its 
T  (F)  input  arc,  then  its  control  input  arc  holds  a  true  (false)  token  in 
S' ’Hi'  •  Because  £^*A  equals  S' 4 A'»  d  is  enabled  in  S^’A  with  the  same 
input  tokens  (Corollary  7.1-2).  If  d€DL  and  d  «  (c,n),  then  there  is  a 
token  in  S,mh'  on  the  arc  b  which  is  either  the  number-n  program  output 
arc  of  P  if  c  *  "OD",  or  the  number-n  input  arc  of  the  actor  labelled  c; 
furthermore,  if  c  j£  "OD",  there  is  no  firing  sequence  starting  in  S' • A’ 
which  contains  a  firing  of  c.  Since  S^*A  equals  S'- A',  there  is  a  token 
on  b  in  5^*A»  and  any  firing  sequence  starting  in  5^*A  is  a  firing  sequence 
starting  in  S’’ "A1  (Corollary  7.1-2),  and  so  does  not  contain  a  firing  of  c. 
These  conclusions,  together  with  the  fact  that  afg6hy  is  a  causal  permu¬ 
tation  of  ^(5^,52')  and  <|>(afg6hY)  is  the  reduction  of  mean  that  afgghy 


(Reasoning  similar  to  that  in  the  final  paragraph  above  is  used  in 
the  proof  that  every  expansion  satisfies  the  Persistence  Axiom.  For 
efficiency,  the  results  needed  in  both  proofs  are  combined  into  one  lemma. 
Unfortunately ?  a  complete  understanding  of  that  lemma  requires  consider¬ 
ations  unique  to  persistence.  To  avoid  a  disruptive  digression  here,  the 
presentation  of  the  lemma  [Lemma  7.2-8]  is  postponed  until  after  the  proof 
of  Commutativity,  in  which  it  is  used;  this  does  not,  however,  introduce 
any  circularity.) 

Case  II:  f  and  g  initiate  executions  e^  “  Ex(d^,k^)  and  e ^ 

There  are  prefixes  0<p2<P^  of  2^  and  of  w*'ose  reductions  are 

$(agf)  and  $(afg)  and  6'  equals  0.  Furthermore,  <p^  and  <p  potentially 
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interfere  iff,  in  agf,  Entte^.l)  and  Ent(e2,l)  are  in  the  same  access 
history  and  e^€R(e2)  (Lemma  7.2-3).  By  freedom-from-conflict,  it  is  not 
true  that  Ent(e^,l)  and  Ent(e2>l)  are  in  the  same  access  history  and 
e^€R(e2) .  Therefore,  <p^  and  <p2  do  not  potentially  interfere  in  - 

Since  and  <pj  (<p2  and  <p2>  are  firings  of  the  same  actor,  0<p^2  equals 
e'(Pj(P2,  which  is  a  firing  sequence  starting  in  S ^  equals  S^*  so 

04,^2  is  a  firing  sequence  starting  in  S ^  (Corollary  7.1-2).  I.e.,  there 

are  two  firing  sequences  0cp^(p2  and  0<p2<p^  starting  in  S ^  such  that  cp^  and 
<p2  do  not  potentially  interfere  in  &p2<p^. 

For  ftie  initial  standard  state  corresponding  to  and 

* 

0tp^q>2  are  firing  sequences  starting  in  ‘Ocp^^pS-^'OcPjfPi  and 

‘(kPjVj.  Since  <p^  and  <p 2  do  not  potentially  interfere,  an 
earlier  argument  for  standard  states  (Theorem  3.1-1)  applies,  holding 
that  and  cp2  do  not  interfere;  i.e.,  S|*0<P2<p^  and  Sj *0<p^(p2  are  identical 
standard  states.  Modified  states  differ  from  standard  states  in  two 
regards:  tagged  pointers  (p,R)  and  (p,W)  take  the  places  of  simple  point¬ 
ers  as  the  values  of  tokens,  and  there  is  a  third,  pool  component  in  a 
modified  state.  By  the  congruency  relation  p,  the  heap  in  is 

identical  to  that  in  S^*6<p2<p^,  which  is  identical  to  that  in  S|*0<p^P2, 
which  is  identical  to  that  in  ‘ Similarly,  each  arc  holds  a  non¬ 
pointer-valued  token  in  £^*9<p2<p^  iff  it  holds  a  token  of  the  same  value  in 
5^‘6(Pj4>2.  Finally,  if  the  pool  components  are  identical,  each  arc  holds  a 
token  of  value  (p,R)  or  (p,W)  in  S  iff  it  holds  a  token  of  value 

(p»R)  or  (p,W)  in  51*0<p1(P2. 

Lemma  7.2-5  below  proves  sufficient  conditions  under  which,  for  any 
arc  holding  tokens  in  two  different  states  S • and  S*&2  whose  values  are 
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tagged  pointers,  either  both  are  read  pointers  or  both  are  write  pointers. 
The  only  arcs  which  can  hold  pointer -valued  tokens  are  program  input  arcs 
and  output  arcs  of  Copy,  Select,  or  pi  operators  (including  gates).  In 
all  but  the  last  case,  the  arc  either  always  holds  a  read  pointer  or 
always  holds  a  write  pointer.  For  a  pi  actor  d,  the  k^  firings  of  d  in 
A^  and  output  tokens  removed  from  the  same  arc  b  if  [d  is  a  gate  => 
those  firings  had  identical  control  inputs].  If  there  is  a  k*  such  that 
the  last  firing  of  the  actor  of  which  b  is  an  output  arc  is  the  k,th  in 
both  A^  and  ^ >  then  a  simple  inductive  argument  shows  that  the  kth 
firings  in  A^  and  of  any  pi  actor  either  both  output  read  pointers  or 
both  output  write  pointers.  Then  if  every  actor  fires  the  same  number  of 
times  in  A^  and  the  values  of  the  tokens  on  any  arc  in  S' A^  and  S * 
are  either  both  read  pointers  or  both  write  pointers. 

From  the  preceding  two  paragraphs,  the  configuration  and  heap  compon¬ 
ents  in  5^ and  are  identical  if  the  pool  components  are. 

A  careful  accounting  shows  that  for  each  pointer  p,  the  number  of  tokens 
with  value  (p,W)  is  the  same  in  both  states.  For  each  label  S  which  is  in 
Q(p)  in  5’^' 0,  then,  S  will  have  been  removed  in  iff  there  are 

zero  tokens  of  value  (p,W)  in  and  * ©cp^cp^  if  f  S  has  been 

removed  from  Q(p)  in  If  either  <p  or  ip2  is  a  firing  of  S,  it 

has  the  same  inputs  in  both  G^tp^  ai*d  Gtpj^  an<*  fires  in  the  same  heap, 
and  so  will  try  to  output  the  same  pointer.  Thus,  S  will  get  added  to  the 
same  pool  in  either  firing  sequence,  and  will  have  been  removed  from  that 
pool  in  * 0tp2<p^  iff  it  has  been  removed  in  Therefore,  the 

pool  components  of  5^* and  S^’Sipj^  are  identical,  so  the  states 
themselves  are  identical  (Theorem  7.2-2  below). 
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The  halted  firing  sequence  2^  has  ©q^q^  as  a  prefix,  and  so  may  be 
written  as  ©q^q^S.  Since  -^‘©q^q)  and  ^'©q,^  are  identical,  it  is 
evident  that  for  any  prefixes  ^  of  2^  and  &'  of  ©q^q^H  such  that 
|AjJ  ■  |  A*  |  >  1 0<p>2<Pi  I »  ^^‘A^and  £^*A*  are  identical;  furthermore, 

2'  ■  Gq^q^S  Is  also  a  halted  firing  sequence  starting  in  S  .  $(ogf)  is 
the  reduction  of  ©q^q^,  4>(afg)  is  the  reduction  of  ©q>  qj  ,  and  <i>(agf6hy)  ls 
4>(p),  the  reduction  of  ^  -  6$^  H;  hence,  $(afg6hy)  is  the  reduction  of 
©q^q^S  *  S2*  (Lemma  7.2-4).  Because  both  d^  and  d2  are  enabled  in 
5^* Q,  no  output  arc  of  one  is  an  input  arc  of  the  other,  so  any  token 
removed  from  an  arc  b  by  <p^  or  q^  in  either  ©q^q^  or  ©ip^q^  *s  on  b  in 
5^*0.  Thus  cp^  removes  the  same  tokens  from  the  same  arcs  in  ©q^q)^  and 
9<P]L<p2*  ‘(*2  ^oes  also.  Since  every  other  firing  fires  in  identical  states, 
for  any  d  and  k,  the  kth  firings  of  d  in  2^  and  2*  both  remove  the  same 
tokens  from  the  same  arcs.  Furthermore,  for  any  such  arc  which  is  an 
output  arc  of  an  actor  d',  the  k^  firings  of  d  in  2^  and  2'  are  preceded 
by  the  same  number  of  firings  of  d'.  Finally,  each  arc  has  a  token  left 
in  the  final  state  S^’2^  iff  it  has  an  identical  token  in  5^*2' .  By 
Algorithm  3.4-1,  then,  ^(5^,2')  has  the  same  set  of  entries  as  t}(Sj,2^) 
(Lemma  7 . 2-6  below) . 

Thus  far,  it  has  been  seen  that  afg6hy  ls  a  permutation  of  agfShy, 
which  ia  a  permutation  of  r)(S^,2^),  which  is  a  permutation  of  ^(5^,2')* 

•nd  that  KafgAhy)  is  the  reduction  of  2'.  The  following  is  sufficient 
prove  that  ifg^hr  is  in  ^(5^,2'):  For  each  prefix  ek  of  afgfihy, 

-  ■  ■  ■  *0  *»»  the  pr»f  1 1  of  w'  whose  reduction  ls  ♦(?),  there  ls  an  initial 


«nH  ■  halted  firing  sequence  2  starting  in  S',  and 
*  »ep<i(  «i  I  -Ml  In  I.,  such  that,  letting  4' 


be  the  prefix  of  2  whose  reduction  is  $(e'),  S'  "A*  equals  S^‘  A 
(Lemma  7.2-8).  If  ek  is  a  prefix  of  afg6,  then,  as  in  Case  I,  c  is  a 
prefix  of  p',  bo  S'  ■  S 2  a°d  S2  *  S22*  Otherwise,  there  is  an  l  such  that 
e  »  afgc.  Since  ‘i’(afg)  is  the  reduction  of  there  is  a  X  such  that 

A  =  0(p^(p2X.  Since  4>(agf)  is  the  reduction  of  0<p ^ >  there  is  a  prefix 
e'k  *  agftk  of  agf6hy€J  such  that,  for  A'  the  prefix  of  2.  whose 

reduction  is  4>(e'),  A'  =  (Lemma  7.2-4).  )a'|  =  | A |  >  |9(p2(PjJt  so 

S^'A'  andS*A  are  identical,  hence  equal.  Therefore,  afg6hy  is  in  J  0, 
The  various  lemmas  and  theorems  for  which  informal  proofs  have  just 
been  given  are  now  presented  in  their  precise  forms. 

Lemma  7.2-4  Let  ctpc^,  and  p  be  any  three  sequences  of  entries  such  that 
a2  is  a  permutation  of  a^.  Let  Int  *  (St,  /,IE)  be  an  interpretation.  Let 
61  and  be  such  that,  for  i**l,2,  the  firing  sequence  4>(ai)  reconstructed 
from  with  respect  to  Int  Is  the  reduction  of  9^.  Then  for  any  A, 

$(a^p)  is  the  reduction  of  0^A  •  <i>(a2p)  is  the  reduction  of  62A. 

Proof :  By  induction  on  the  length  of  (3.  All  initiations  and  reconstruc¬ 
tions  are  with  respect  to  Int. 

Basis:  |p|  -  0. 

(1)  Since  a^p«a^,  for  any  A,  $(a^|3)  is  the  reduction  of  9^A  =»  <f>(a^)  is 

the  reduction  of  9^A  =>  the  reduction  of  0^  equals  the  reduction  of 
9jA  =»  |a|  -  0  Def.  2.4-5 

(2)  =»  ^>(a2p)  -  <l>(a2)  is  the  reduction  of  02A  ■  92 

Induction  step:  Assume  the  Lemma  is  true  for  any  p  of  length  n  >  0,  and 
consider  p  -  yf  of  length  nfl. 
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(3)  Let  e  -  Ex(d,k)  be  the  target  of  f.  f  is  not  the  initiating  entry 

of  e  in  a^p  iff  there  are  fewer  than  In(/(d))  input  entries  to  e 

in  a^p  iff  there  are  fewer  than  In(/(d))  input  entries  to  e  in 
a2p  iff  f  is  not  the  initiating  entry  of  e  in  a2p  Def.  4.2-6 

(4)  f  is  not  the  initiating  entry  of  e  in  a^p  =»  $(a^p)  *  $(<ijY)  a 

$(a2p)  -  $(a2Y)  (3)+Def .  4.3-4 

(5)  =»  [for  any  A,  $(a^p)  is  the  reduction  of  0^A  =>  "Hcx^y)  is  tlie 

reduction  of  0^A  =»  $(<i2y)  is  the  reduction  of  @2A  ind.  hyp. 

(6)  =>  <i>(a2P)  is  the  reduction  of  02A]  (4) 

(7)  f  is  the  initiating  entry  of  e  in  a^p  =  $(a^p)  m  <KajY)<p'  and 

<J>(a2P)  ■  where  <p*  is  a  firing  of  d  (3)+Def.  4.3-4 

(8)  =»  [for  any  A,  <Ha.jp)  is  the  reduction  of  0^A  =»  0.jA  -  GjSp,  where  tp 

is  a  firing  of  d  Def.  2.4-5 

(9)  =>  the  reduction  of  0jS  is  that  prefix  of  the  reduction  of  0^A  which 

is  one  firing  shorter  than  the  reduction  of  0^A  Def.  2.4-5 

(10)  =  the  reduction  of  0jE  is  4>(cijY)  (8)+(7) 

(11)  =»  <J>(a2Y)  is  the  reduction  of  02E  ind.  hyp. 

(12)  =»  the  reduction  of  02A  is  <Ha2Y)<p'»  where  tp*  is  a  firing  of  d 

Def.  2.4-5 

(13)  *•  the  reduction  of  02A  is  $(a2P)]  (8)+(7) 

(14)  For  any  A,  (p(a^p)  is  the  reduction  of  0^A»4>(a2p)  is  the  reduction 

of  02A  (4)+(5)+(6)+(7)+(8)+(13) 

A 

Lemma  7,2-5  Let  5^  and  52  be  any  two  equal  initial  modified  states  for 
the  same  program  P.  Let  and  &2  be  two  firing  sequences  starting  in  5^ 
and  52  respectively  such  that 
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(1)  for  each  actor  d  in  P,  there  are  the  same  number  of  firings  of  d 

in  both  2^  and 

(2)  for  each  gate  d  in  P  and  each  k,  the  k^  firings  of  d  in  2^  and 

remove  control  tokens  of  the  same  value,  and 

(3)  for  any  two  actors  d  and  d',  and  for  any  k,  there  is  a  k'  such  that 

if  the  k  firings  of  d  in  2^  and  22  remove  tokens  from  output  arcs 
of  d',  then  those  firings  both  are  preceded  by  k'  firings  of  d'. 
Then  for  any  arc  in  P  which  holds  tokens  of  pointer  value  in  5^*2^  and 
■S'2*22,  either  both  are  read  pointers  or  both  are  write  pointers. 

Proof :  (The  straight-forward  inductive  proof  has  already  been  outlined 
above;  the  rigorous  treatment  has  been  removed  to  Appendix  E.) 

A 

Theorem  7.2-2  Given  any  Lp  program  P,  let  be  any  firing  sequence 

starting  in  any  initial  modified  state  S  of  P,  such  that  also  a 

firing  sequence  starting  in  5.  If  <p ^  and  <p2  do  not  potentially  Interfere 
in  0ip2<Pj«  then  S' dip 2<P^  and  5*09^2  are  identical  states. 

Proof ; 

(1)  6  is  a  firing  sequence  starting  in  S  Def.  2.3-1 

(2)  Let  S'  be  the  initial  standard  state  corresponding  to  S .  Then  0, 

0q>2<Pi»  and  are  all  firing  sequences  starting  in  S', 

S'  *0|j5*0,  S'  •  and '5'  •  *  Oqypg  (1)+Thm.  7.1-1 

(3)  <pj^  and  <p2  do  not  interfere  in  Thm.  3.1-1 

(4)  S'*0<p2<P^  and  5 '  •  0cp^(p2  are  identical  states  (3)+Def.  3.1-1 

(5)  Let  d^  and  d2  be  the  actors  of  which  and  ip2  are  firings.  Then 

both  actors  are  enabled  in  5*0  Def.  2.3-1 
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(6)  If  either  is  a  gate,  its  control  input  arc  has  a  token  in  S’Q  and 

so  is  not  an  output  arc  of  the  other  (5)+Defs.  3.3-64-2.1-4 

(7)  If  d^  (d2)  is  a  gate,  the  control  token  input  by  <p  (<p^ )  in  either 

0<P2<Pi  or  0cp^ip2  is  the  token  on  the  control  input  arc  in  S'0 

(6)+Defs.  3.3-9+3.3-74-2.1-5 

(8)  The  sets  of  input  arcs  from  which  (<p2)  removes  tokens  is  the 

same  in  both  an<*  8tpj.<p2  (7)40efs.  3. 3-9+2. 1-5 

(9)  All  of  those  arcs  have  tokens  in  S’Q  (5)+(7)+Defs.  3. 3-6+2. 1-4 

(10)  None  of  those  arcs  is  an  output  arc  of  either  d^  or 

(5)+(9)+Defs.  3. 3-6+2. 1-4 

(11)  All  of  the  tokens  removed  by  ^  (<p2)  in  either  0^^  or  ate 

on  the  arcs  from  which  they  are  removed  in  S’Q  (10)+Def.  2.1-5 

(12)  For  any  pointer  p  and  any  arc  b,  there'  is  a  token  with  value  (p,W) 

on  b  in  <5*0  but  no  such  token  in  S’Oq^tp^  Iff  there  is  a  token  with 
value  (p,W)  on  b  in  S'Q  but  no  such  token  in  S*©^^  (8)+(ll) 

(13)  For  each  arc  b,  b  holds  a  token  of  value  (p,W)  in  S’Q  =*  b  is  not 

an  output  arc  of  either  d^  or  d^  (5)+Defs.  3. 3-6+2. 1-4 

(14)  »  if  b  holds  a  token  in  either  S’O^ip^  or  S'ftpj^.  *ts  value  fa 

(p,W)  Defs.  3. 3-9+2. 1-5 

(15)  Tokens  with  write  pointers  as  values  can  be  placed  on  the  output 

arcs  only  of  Copy  or  pi  operators  Defs.  3 . 3-9+3 . 3-7+2 . 2-5 

(16)  Neither  <p^  nor  <p2  is  a  Copy  firing  which  outputs  p  =  for  each  arc 

b,  there  is  a  token  with  value  (p,W)  on  b  in  S  *  Otp^cpj  but  no  such 
token  in  5*0  iff  b  is  an  output  arc  of  d^  or  d2>  that  actor  is  a 
pi  operator,  and  if  it  is  a  gate,  the  control  input  to  ^  or  ^ 
in  ftp ^2  f-8  suc^  that  tokens  are  placed  on  all  output  arcs  and 

La* 
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their  values  equal  the  value  of  the  token  removed  from  an  input 
arc  a  by  <p^  or  in  which  token  has  value  (p,W) 

(15)+Defs.  3. 3-9+2. 1-5+2. 2-4 

(17)  iff  b  is  an  output  arc  of  or  d^>  that  actor  is  a  pi  operator, 

and  if  it  is  a  gate,  the  control  input  to  ^  or  in  is 

such  that  tokens  are  placed  on  all  output  arcs  and  their  values 
equal  the  value  of  the  token  removed  from  input  arc  a  by  <p  or 
q>2  in  0tp2ip^»  which  token  has  value  (p,W)  (7)+(ll) 

(18)  iff  there  is  a  token  with  value  (p,W)  on  b  in  but  no  such 

token  on  b  in  S'  0  (15)+Defs.  3 . 3-9+2 . 1-5+2 . 2-4 

(19)  The  number  of  tokens  with  value  (p,W)  in  S’  0q)  <p^  (or  is 

the  number  of  tokens  with  value  (p,W)  in  S' e,  minus  the  number  of 
arcs  which  hold  tokens  of  value  (p,W)  in  5-g  but  not  in  S • 

(or  S  •  0<P^iP2^ »  pin®  the  number  of  arcs  which  hold  no  tokens  in  S  •  9 
but  a  token  of  value  (p,W)  in  S’Qq^q^  (°r  (13)+(14) 

(20)  If  neither  <p^  or  is  a  Copy  firing  which  outputs  p,  then  the 

number  of  tokens  with  value  (p,W)  in  equals  the  number  of 

tokens  with  value  (p,W)  in  (19)+(12)+(16)+(18) 

(21)  For  any  arc  b,  b  holds  a  token  of  value  (p,W)  in  (S'Ocp^cpj) 

but  not  in  (S’Ocpj)  *»  <p^  (<p2>  is  a  Copy  firing  which  outputs 

p,  or  (^2)  is  a  pi  firing  and  some  input  arc  of  d^  ^2)  holds 
a  token  of  value  (p,W)  in  J'Ocpj  (£’0<Pj)  (15)+Def.  2.2-4 

(22)  For  any  Select  operator  S  not  equal  to  d^  or  d2*  and  any  pointer 

P»  SfQ(p)  in  S’ Q  a  there  are  tokens  of  value  p  on  S’s  output 

(2)+Def .  7.1-1 


arcs  in  5* ' 6 
(23)  •  p€dom  I!  in  5' *0 


Thm.  2.2-1 
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(24)  =>  p*dom  n  in  S'Q  (2)-H)ef.  7.1-1 

(25)  a  neither  nor  ^  Is  a  Copy  firing  which  outputs  p  Lemma  5.2-1 

(26)  =>  If  there  are  zero  tokens  with  value  (p,W)  inS’Oq^  (^'Qcp^)* 

then  there  are  zero  tokens  with  value  (p,W)  in  5  *0q>2<p^ 

(21) 

(27)  S^Q(p)  in  S'Q  =»  s^Q(p)  in  (^'Otp^q^)  iff  there  are  zero 

tokens  with  value  (p,W)  in  either  S'Qq^  °r  S'Qip^^  (S'  Q<p^  or 
S *84)^2)  Def.  3.3-9 

(28)  iff  there  are  zero  tokens  with  value  (p,W)  in  OS’Otpj^) 

(22)+(26) 

(29)  For  any  Select  operator  S  not  equal  to  or  d^»  and  any  pointer  p, 

S(Q(p)  in  either  S’QcpjCpj  or  =»  S€Q(p)  in  5*0  Def.  3.3-9 

(30)  •  S€Q(p)  in5*0«p2(p1  lff  1  nS*eq>x<p2  (27)+(28)+(22)+(25)+(20) 

(31)  Assume,  say,  d^  is  a  Select  operator.  Let  A  he  any  firing  sequence 

starting  in  S  such  that  d^  is  enabled  in  5* a;  i.e.,  Atp>  where  q> 
is  a  firing  of  d^,  is  a  firing  sequence  starting  in  5  Def.  2.3-1 

(32)  A  and  A<p  are  firing  sequences  starting  in  5',  5'*A|i?’A  and 

S f * Acpijtf * Atp  (31)+Thm.  7.1-1 

(33)  Let5*'Abe  (r,U) .  Then  U  is  the  heap  in5’*A  (32)+Def.  7.1-1 

(34)  Let  q  and  8  be  the  values  of  the  tokens  on  d^'s  number-1  and  number- 

2  input  arcs  in  Strip(r,d^).  Then  those  arcs  have  tokens  of  value 
(q,R)  or  (q,W)  and  s  in  S*a  (33)+Def.  3.3-8 

(35)  Those  arcs  have  tokens  of  value  q  and  s  in  5' *  A  (34)+(32)+Def .  7.1-1 

(36)  There  are  tokens  of  value  p  on  d^'s  output  arcs  in 

Standardp((Strip(r,d^) ,U) ,d^)  iff  there  is  a  pair  (s,n(p))  in 
SM(n(q))  in  U  (34)+Defs.  3. 3-7+2. 2-5 
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(37)  iff  there  are  tokens  of  value  p  on  d^’s  output  arcs  in  S'*A< p 

(35)+(33)+Def .  2.2-5 

(38)  Letting  S‘  0  be  (r,U,Q),  for  any  p,  d^€Q(p)  in  Fire(5*9,d^)  iff 

there  are  tokens  of  value  p  on  d ,'s  output  arcs  in 

i  1 

Standardr((Strip(r,d1),U),d1)  (31)+Def.  3.3-9 

(39)  iff  there  are  tokens  of  value  p  on  d^'s  output  arcs  in 

(31)+(33)+(36)+(37) 

(40)  iff  there  are  tokens  of  value  p  on  those  arcs  in  (8)+(10) 

(41)  iff  there  are  tokens  of  value  p  on  d^s  output  arcs  in  s '  ’  (^) 

(42)  iff,  letting  S' 0cp2  be  (r'.U'.Q'),  there  are  tokens  of  value  p  on 

d^'s  output  arcs  in  Standardj,((Strip(r' .d^)  ,U')  ,d^) 

(31)+(33)+(36)+(37) 

(43)  iff  dj€Q(p)  in  FireCS  *e<p2,d  )  (31)+Def.  3.3-9 

(44)  There  are  tokens  on  d^'s  output  arcs  of  value  p  inS'*9<p.^  =» 

p£ dom  n  in  that  state  Thm.  2.2-1 

(45)  =*  tf>2  fa  not  a  Copy  firing  which  outputs  p,  nor  is  (p^(31)+Lemma  5.2-1 

(46)  For  any  p,  d^(  Q(p)  in  S  *0<p  ^  iff  d^€Q(p)  in  Fire(5*9,d^)  and 

there  are  not  zero  tokens  of  value  (p,W)  in  5*9(p^  and  there  are 

not  zero  tokens  of  value  (p,W)  inS'Sip^^  Def.  3.3-9 

(47)  iff  d^€Q(p)  in  Fire(5*9,d^)  and  there  are  not  zero  tokens  of  value 

(p,W)  in  S*9(Pj<p2  (38)+(39)+(44)+(45)+(25)+(26) 

(48)  iff  dj€Q(p)  ih  Ftre^'G^.d^ )  and  there  are  not  zero  tokens  of  value 

(p,W)  in  5  •9<p^P1  (38)+(43)+(39)+(44)+(45)+(20)+(25)+(26) 

(49)  iff  drfQ(p)  in  Def.  3.3-9 

By  synaetry, 

(50)  d2  is  a  Select"  Vp,  d2*Q(p)  in  5*9< iff  d2fQ(p)  in  S’ 
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(51)  For  any  Select  operator  S  and  any  pointer  p,  S€Q(p)  in  S'q^^,^  iff 

S€Q(p)  in  5*0<p1(P2  (20)+(30)+(46)+(49)+(50) 

(52)  For  any  arc  b  in  P,  b  is  empty  in  S’ftp^^  Iff  b  is  empty  in 

5*'0<p 2<P^  or  b  Is  an  output  arc  of  a  Select  operator  S  and  there 

(2)+Def .  7.1-1 
(4) 

(54)  b  is  an  output  arc  of  a  Select  operator  S  and  there  is  a  pointer  p 

(51) 

(2)+Def.  7.1-1 

(56)  b  holds  a  token  of  non-pointer  value  v  in  S-Q^^p^  iff  b  holds  a 

token  of  value  v  in  iff  b  holds  a  token  of  value  v  in 

S'  *  0tp1<p2  fff  b  holds  a  token  of  value  v  in  5-0ip1(p2(4)+(2)+Def .  7.1-1 

(57)  b  holds  a  token  of  value  (p,R)  or  (p,W)  for  pointer  p  in  S' 0iP2<P^ 

iff  b  holds  a  token  of  value  p  in  S' •  ftp  «p  iff  b  holds  a  token  of 
value  p  in  S^ftp^^  iff  b  holds  a  token  of  value  (p,R)  or  (p,W)  in 


is  a  pointer  p  such  that  S€Q(p)  in 
(53)  iff  b  is  empty  in  S'*0<pj<p2  or 


such  that  S€Q(p)  in  S’Qtp^p^ 
(55)  iff  b  is  empty  In  S'ftp^p^ 


(4)+(2)+Def.  7.1-1 


S'ftp^ 

(58)  For  each  actor  d,  there  are  the  same  number  of  firings  of  d  in 

and  and  if  d  is  a  gate,  the  kth  firings  of  d  in 

and  ftfy<p2  remove  the  same  control  token  (7) 

(59)  For  any  actors  d  and  d',  the  k^  firings  of  d  in  0(P2<P^  and  0<p^<p2 

are  preceded  by  different  numbers  of  firings  of  d’  =■»  d  and  d'  are 
d^  and  dj,  and  the  k**1  firing  of  d  is  either  <p^  or  =»  that 
firing  does  not  remove  a  token  from  an  output  arc  of  d'  (8)4(10) 

(60)  For  any  arc  b  which  holds  pointer-valued  tokens  in  S'  0^^  and 

S'  Otp^ cpj »  either  both  are  read  pointers  or  both  are  write  pointers 

(58)+(59)+Lemaa  7.2-5 


(61)  The  heaps  in  and  5'6(p1(p2  «e  identical  (31)+(33)+(4) 

(62)  S'  fy 2^1  and  5r*  ©4>i<P2  are  identical  (51)+(52)+(55)+(56)+(57)+(60)+(61) 

A 

Lemma  7,2-6  Given  any  1^  program  P,  let  2  be  any  halted  firing  sequence 
starting  in  any  initial  modified  state  S  for  P.  Let  0 <p2<p^  be  any  prefix 
of  2  and  let  2  be  such  that  2  *  0<P2cPj2«  If  0cp^<p2  is  a  firing  sequence 
starting  in  S  and  5*0<pjq>2  is  identical  to  <S’"0<p2<p^,  then  2’  ■  ©<P1<P2S  is  a 
halted  firing  seqeuence  starting  in  S  and  r)(5, 2')  contains  the  same  set 
of  entries  as  t)(S,2)  . 

Proof :  (The  lengthy  proof  of  this  intuitive  result  is  in  Appendix  E.) 

A 

Theorem  7.2-3  Every  expansion  (Int,J)  from  EEd^.M)  satisfies  the 
Commutativity  Axiom. 

Proof;  (All  initiations  and  reconstructions  are  with  respect  to  Int.) 

(1)  Let  agf6  be  any  computation  in  any  job  J(J  such  that  afg6  is  also 

in  J. 

(2)  (Int,J)  is  the  expansion  of  some  LQ  program  P,  Int  *  Int(P),  and 

there  is  an  equivalence  class  E  of  initial  modified  states  for  P 

such  that  J  ■  J_  (1)+Defs.  4. 3- 1+4. 3-3 

£ 

(3)  Let  t  be  any  transfer  in  ETj(agf6).  Then  there  is  an  entry  h 

with  T(h)  ■  t  such  that  agf6h  is  in  J  Def.  6.2-2 

(4)  There  is  an  initial  modified  state  S^€E  for  P  and  a  halted  firing 

sequence  2^  starting  in  5^  such  that  agfSh  is  a  prefix  of  some 

p  in  J«  0,.  (2)+(3)+Def .  4.3-3 

l»“l 

(5)  There  is  an  initial  modified  state  S2€E  for  P  and  a  halted  firing 

sequence  22  starting  in  £2  such  that  afg6  is  a  prefix  of  some  p* 


(l)+(2)+Def .  4.3-3 


(16)  afgShy  Is  a  causal  permutation  of  p,  hence  of  ^(S^.fij)  (6)+(14) 

(17)  f  and  g  are  input  entries  of  the  same  execution  Ex(d,k)  «*  f  is  the 

initiating  entry  in  agf  iff  g  is  the  initiating  entry  in  afg  and 
d  is  in  St-DL  Defs.  4 . 2-6+4 . 3-2+4 . 3-1 


(18)  -  $(ag)  ■  <Ha)  ■  $(af)  =*  [f  is  the  initiating  entry  in  agf  » 

$(agf)  -  <Ha)cp,  where  <p  is  a  firing  of  d,  and  $(afg)  *  $(a)<p]  A 
[f  is  not  the  initiating  entry  in  agf  ■»  $(agf)  ■  $>(a)  ■  $(afg)] 
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Def  s .  4 . 3-4+4 .2-6 


=»  $(agf)  -  $(  afg) 

(19)  f  and  g  are  Input  entries  to  distinct  executions  Ex(d^,k^)  and 

Ex(d2,k2)  respectively  =»  [f  is  an  initiating  entry  and  d^€St-DL 
=*  g  is  not  an  initiating  entry  or  d^St-DL  =»  $(agf)  *  ^(ag)^, 
where  <p^  is  a  firing  of  d^,  and  $(ag)  ■  $>(a)  A 

$(afg)  =  $(af)  *  $(a)cp^]  A  [g  is  an  initiating  entry  and  d^t-DL 
=»  f  is  not  an  initiating  entry  or  d^St-DL  =»  $(agf)  *  <i>(a)<p2» 
where  tp^  is  a  firing  of  dj  and  $(afg)  =  4>( af >  <p2  *  #(a)cp2]  =» 

<i>(agf)  =  <$(afg)  Def.  4.3-4 

(20)  A  [f  is  not  an  initiating  entry  or  d^St-DL  A  g  is  not  an  initiating 

entry  or  djfSt-DL  =»  <f>(agf)  *  $(a)  *  $(afg)]  Def.  4.3-4 

(21)  $(agf)  -  $(afg)  (17)+(18)+(19)+(20) 

(22)  $(agf 6hy)  «  $({3)  is  the  reduction  of  (6)+(4)+Def.  4.3-5 

(23)  Let  0  be  any  firing  sequence  whose  reduction  is  $>( agf )  =  $(afg) . 

For  any  prefix  c  of  6hy,  let  A  be  such  that  $>(agfc)  ($(afgc))  is 
the  reduction  of  9A.  Then 'Kafgc)  ($(agft))  is  also  the  reduction 
of  0A  (21)+Lemma  7.2-4 

(24)  #>(afg6hy)  is  the  reduction  of  S2^  (22)+(23)+Def .  2.4-5 

(25)  Let  e'k  be  any  prefix  of  afg6hy.  Let  A  be  the  prefix  of  whose 

reduction  is  $(6').  k€afg6  =  e'k  is  a  prefix  of  afg6  =*  e'k  is  a 
prefix  of  p'  =»  letting  A2  be  the  prefix  of  S22  whose  reduction  is 
$(e'),  A  is  a  firing  sequence  starting  in  5^  which  is  equal  to  A2 

(5)+Lemma  7.2-2+Defs.  2. 3-1+2. 4-5 

(26)  =»  *^2  e9ual®  5^*A  (15)+Thm.  7.1-2 

(27)  kj(afg6  =»  3c:  e'k  •  afgck  =>  |$(afg)  (  £  |$(e')|  =»  A  can  be  written  as 

9X  where  the  reduction  of  0  is  $(afg)  Defs.  4. 3-4+2. 4-5 
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(28)  =  $(agft)  is  the  reduction  of  OX  ■  A 


(23) 


(29)  =»  there  is  a  prefix  ek  of  agf6hr  such  that,  for  ^  the  prefix  of 

whose  reduction  is  #(e)  -  $(agft),  A  is  identical,  hence  equal, 
to  (25)+Def.  2.4-5 

(30)  -  si'&i  equals  S ^A  (15)+Thm.  7.1t2 

(31)  afgShry  is  in  (4)+(5)+(16)+(24)+(25)+(26)+(27)+(30)+Lemma  7.2-8 

(32)  afgSh  is  in  Jg  -  J  (31)+(4)+(5)+Def .  4.3-3 

(33)  T(h)  is  in  ETj(afg6)  (32)+Def.  6.2-2 

Case  11:  f  and  g  are  the  initiating  entries  of  two  distinct  executions 

e^  *  Ex(dpk^)  and  *  Ex(d2»k2),  where  d^  and  are  both  labels  of 

actors  in  P. 

(34)  agf  and  afg  are  both  in  J  (4)+(5)+(2)+Def .  4.3-3 

(35)  There  are  prefixes  0<p2<P1  of  ^  and  0'(p’<p’  of  22’  whose  reductions 

are  $(agf)  and  $(afg),  such  that  0'  equals  9  and,  for  i-1,2,  <|> 

(<p|)  is  the  firing  of  d^.  Furthermore,  cp^  and  q>2  potentially 

interfere  in  iff  Ent(e^,l)  and  Ent^j.l)  are  in  the  same 

access  history  and  e^R^)  in  agf  (2)+(34)+(4)+(5)+Lemma  7.2-3 

(36)  Ent(e^,l)  and  Ent(e2»l)  are  in  the  same  access  history  and  e^CRtej) 

in  agf  =»  (Int ,J)  does  not  satisfy  the  Freedom-from-conflict  Axiom 

(l)+(34)+Axiom  6.2-7 

(37)  <pA  and  <j>2  do  not  potentially  interfere  in  (35)+(36)+Thm.  7.2-1 

(38)  9<P1<<>2  equals  0’tp£cp^  (35)+Def.  2.4-5 

(39)  Let  m  be  ^(SpO^ip^) ,  and  let  NAR  be  the  node  activation  record 

derived  from  an<^  “•  For  any  pointer-node  pair  (p,n),  (p,n) 

is  in  a  Copy  firing  in  iff  there  is  a  Copy  label  C  and  an 

integer  k  such  that  there  are  at  least  k  firings  of  C  in 
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and  the  kth  is  (C,(p,n))  iff  Ex(C,k)  is  initiated  in  ®  and  the  kth 


firing  of  C  in  2^  is  (C,(p,n)) 
(43)  iff  (p,n)  is  in  ran  NAR 


Lemma  4.3-1+Defs.  4. 3-1+4. 2-6 
Def.  5.2-4 


(41)  The  multiset  of  pointer-node  pairs  in  the  Copy  firings  in  i8 

ran  NAR,  which  is  consistent  with  the  heap  in 

(39)+(40)+Lerama  5.2-2 

(42)  9<p i®  a  firing  sequence  starting  in  5^ 

(35)+(15)+(38)+(41)+Cor.  7.1-2 

(43)  and  are  identical  states  (35)+(42)+(37)+Thm.  7.2-2 

(44)  Let  S  be  such  that  and  let  ai  be  Then  is  a 

halted  firing  sequence  starting  in  S and  r|(5^,2^)  consists  of 
the  same  set  of  entries  as  t}(S^,2^)  (4)+(35)+(42)+(43)+Lemma  7.2-6 

(45)  afg6hy  is  a  permutation  of  r)(5^,2^) 

(46)  afgShy  is  a  permutation  of  "n(f>^,2^)  (45)+(44) 

(47)  $(agf6hy)  is  the  reduction  of  2^  =  (22)+(44) 

(48)  <£(afg)  is  the  reduction  of  ©<P1q>2  (35)+Def.  2.4-5 

(49)  4>(afg6hY)  is  the  reduction  of  9cp ^cp 2S  = 

(35)+(48)+(47)+(44)+Lemma  7.2-4 

(50)  Let  e'k  be  any  prefix  of  afgShy.  Let  A  be  the  prefix  of  2j_  whose 

reduction  is  $(e').  k€afg6  =>  e'k  is  a  prefix  of  afg6  =»  letting  A2 
be  the  prefix  of  22  whose  reduction  is  $(e’),  A  is  a  firing  sequence 
starting  in  which  is  equal  to  A2  (44)+Defs.  2. 3- 1+2. 4-5 

(51)  ~S2‘bz  equals  A  (15)+Thm.  7.1-2 

.  (52)  09^2  equals  S^Ocp^  (43)+Defs.  7. 1-2+3. 4-1 

(53)  k(a£g&  »  3c:  e'k  -  afgtk  -  |*(afg)|  S  |$(e’)|  -  A,  whose  reduction 
is  $(afg e),  can  be  written  as  A  -  (45)+(4«)+(50)+t>ef  . 


(44)+Def s .  2. 3- 1+2. 4-5 
(15)+Thm.  7.1-2 
(43)+Defs.  7. 1-2+3. 4-1 


A0-A083  233  MASSACHUSETTS  INST  OF  TECH  CAMBR206E  LAB  FOR  COMPUTE— "ETC 
r  OATA-STRUCTURING  OPERATIONS  IN  CONCURRENT  COMPUTATIONS. «U) 

OCT  79  D  L  ISAMAN 
UNCLASSIFIED  MIT/LCS/TR-224 


F/6  9/2 
NL 


(54)  »  $(agft)  is  the  reduction  of  (ty^cpjX  (35)+(48)+Lenma  7.2-4 

(55)  9  there  is  s  prefix  ek  ■  agftk  of  agffihy  such  that,  for  the 

prefix  of  whose  reduction  is  4>(e)  ■  $(agfc),  S^'A ^  ■  ^‘©cp^jX 
equals  S^A  -  S^ftp^X  (50)+(44)+(52)+Lemma  7.2-2+Th*.  7.1-2 

(56)  afgfihy  is  in  J.  0, 

(4)+(5)+(44)+(14)+(46)+(49)+(50)+(51)+(53)+(55)+Lemma  7.2-8 

(57)  afg6h  is  in  JE  -  J  (56)+(4)+(5)+Def .  4.3-3 

(58)  T(h)  is  in  ET^afgS)  (57)+Def.  6.2-2 

In  either  case  then, 

(59)  For  any  transfer  t,  t€ETJ(agf6)  =»  t€ETJ(afg6)  (3)+(35)+(58) 

By  symmetry, 

(60)  For  any  transfer  t,  t€ETj(afg6)  =»  t€ETj(agf6); 

i.e.,  ET  (afg6)  -  ET.(agf6) 

A 

7.2.4  Persistence 

The  Persistence  Axiom  asserts  that  for  any  job  J  and  any  computation 
ag  in  J,  for  any  transfer  t  #  T(g),  t€ETj(a)  »  t€ETJ(ag).  In  other  words, 
once  a  transfer  becomes  eligible,  it  remains  so  until  the  appearance  of  an 
entry  having  that  transfer.  The  analogous  property  of  the  schema  model  of 
data  flow  —  that  once  enabled,  an  actor  remains  enabled  (with  the  same 
tokens  on  its  input  arcs)  until  it  fires  —  is  easily  demonstrated: 

Theorem  7 . 2-4  Let  S  be  any  initial  modified  state  for  any  program  P.  Let 
ftp  be  any  firing  sequence  starting  in  S,  and  let  d  be  the  actor  of  which 
the  last  firing  <p  is  a  firing.  Then  for  any  actor  d*  t  d,  each  input  arc 
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o£  d'  which  holds  a  token  In  5*6  holds  the  same  token  In  5*6<p,  and  d'  is 
enabled  in  5*6  =»  d'  is  enabled  In  5*0<p. 

Proof: 

(1)  If  d  is  a  Select,  its  output  arcs  are  all  empty  in  5*6 

Defs.  3. 3-6+2. 1-4 

(2)  Any  arc  which  has  a  token  in  S’Q  but  no  token  in  5*6<p  is  an  input 

arc  of  d  (1)+Defs.  3. 3-9+2. 1-5 

(3)  Let  d'  be  any  actor  except  d.  No  input  arc  of  d  is  an  input  arc  of 

d'  and  no  output  arc  of  d  is  an  output  arc  of  d*  Def.  2.1-1 

(4)  Any  arc  which  holds  a  token  in  5‘6<p  which  it  does  not  hold  in5*0 

is  either  an  output  arc  of  d  or  a  data-output  arc  of  a  Select 
operator  S  for  which  there  is  a  p  such  that  SfQ(p)  in  S’Q 

Defs.  3. 3-9+2. 1-5 

(5)  No  arc  holding  a  token  in  5*6  is  an  output  arc  of  dDefs.  3. 3-6+2. 1-4 

(6)  No  arc  which  has  a  token  in  5*6  is  a  data-output  arc  of  a  Select 

operator  S  for  which  there  is  a  p  such  that  S€Q(p)  in  5*6  Cor.  7.1-1 

(7)  Each  input  arc  of  d'  which  holds  a  token  in  5*6  holds  the  same 

token  in  5*6<p  (2)+(3)+(4)+(5)+(6) 

(8)  d'  is  enabled  in  5*6  =»  there  is  no  pointer  p  such  that  d'(Q(p)  in 

5*6  (3)+Def .  3.3-6 

(9)  =»  since  cp  is  not  a  firing  of  d’,  there  is  no  pointer  p  such  that 

d*€Q(p)  in  5*0<p  Def.  3.3-9 

(10)  ■»  (d *  is  not  enabled  in  5*  6tp  =»  either  there  is  an  input  arc  of  d' 
which  holds  a  token  in  5*9  but  holds  either  no  token  or  a 
different  control  token  in  5*0<p,  or  there  is  an  output  arc  of  d' 
which  has  no  token  in  5*6  but  has  one  in  5*6<p]  Def.  3.3-6 
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(11)  a  no  output  arc  of  d'  Is  an  output  arc  of  a  Select  operator  S  for 

which  there  is  a  p  such  that  S€Q(p)  in  5*8  (8)+Def .  2.1-1 

(12)  =>  d'  ia  enabled  in  S* 8<p  (2)+(3)+(4)+(5)+(6) 

A 

Proving  persistence  in  the  entry-execution  model  is  considerably 
more  difficult:  Any  computation  ag  in  a  job  J  is  a  prefix  of  some  06JC 
where  5  is  an  initial  modified  state  and  S  is  a  halted  firing  sequence 
starting  in  S.  For  any  t€ETj(a),  there  is  a  computation  ah€J  with 
T(h)  -  t,  so  there  is  an  initial  modified  state  5'  equal  to  5,  and  a 
halted  firing  sequence  S'  starting  in  5',  such  that  ah  is  a  prefix  of  some 
P '€J^i  .  The  goal  is  to  construct  a  halted  firing  sequence  X  starting 

in  5  such  that  there  is  a  computation  agR6  in  x,  where  T(h)  •  t. 

Every  entry  in  ag  must  be  in  t)(5,S).  The  non-dumny  targets  of  those 
entries  can  be  partitioned  into  two  sets  of  executions:  AF  *  (Ex(d,k) | 
djfDL  and  Ex(d,k)  is  initiated  in  a)  and  EF  -  {Ex(d,k) |  dfDL  and  Ex(d,k) 
has  an  input  entry  in  ag  but  is  not  initiated  in  a}.  For  any  e  ■  Ex(d,k), 
e€AF  iff  there  are  k  firings  of  d  in  the  prefix  8  of  2  whose  reduction  is 
$(a)  (Theorem  4.3-2)  iff  all  input  entries  to  e  in  a  are  in  r|(5,8)  iff 
for  any  X  having  6  as  a  prefix,  all  input  entries  to  e  in  a  are  In  r)(5,X). 
It  is  much  harder  to  accomodate  an  input  entry  f  to  an  execution  Ex(d,k)  in 
EF:  X  must  be  constructed  so  that  there  is  a  firing  of  d  in  X  (which 
there  is  not  in  8)  and  that  firing  removes  the  same  tokens  from  the  same 
set  of  input  arcs  as  the  k^*1  firing  of  d  in  &.  Similarly,  the  target 
Ex(d',k')  of  h  is  not  initiated  in  a,  so  there  are  not  k'  firings  of  d*  in 
8;  nonetheless,  there  must  also  be  a  k,t*‘  firing  of  d'  in  X  which  removes 
the  same  tokens  from  the  same  set  of  input  arcs  as  the  k,C^  firing  of  d' 
in  8* . 


For  any  input  entry  f  in  ag  of  an  execution  e  -  Ex(d,k) €EF,  there  is 
a  j  such  that  T(f)  has  destination  Dst(e,j),  and  there  is  a  6  such  that  5f 
is  a  prefix  of  £3.  Since  f  is  in  r}(5,2),  there  is  a  prefix  Aip  of  2  in  which 
<p  is  the  k**1  firing  of  d.  Since  there  are  fewer  than  k  firings  of  d  in  6, 

0  is  a  prefix  of  A.  In  5*  A,  d  is  enabled,  and  if  d  is  a  merge  gate  and 
its  number- j  input  arc  b  is  its  T  (F)  input  arc,  then  d's  control  input 
arc  holds  a  true  (false)  token.  The  only  reasonable  way  to  guarantee  that 
a  X  can  be  constructed,  having  0  as  a  prefix  and  containing  a  k^1  firing 
of  d  which  is  not  in  0,  is  to  guarantee  that  d  is  enabled  in  5*0;  further¬ 
more,  if  d  is  a  merge  gate  and  b  is  its  T  (F)  input  arc,  then  d's  control 
input  arc  should  hold  a  true  (false)  token  in  5*0.  Then  by  Theorem  7.2-4, 
any  X  with  0  as  a  prefix  must  contain  a  k^1  firing  of  d  which  removes  a 
token  from  b.  The  "worst  case"  of  f  ■  g,  so  6  *  a,  motivates  one  of  the 
unexplained  requirements  included  in  Definition  4.3-5,  that  for  S  the 
prefix  of  2  whose  reduction  is  $(6) ,  d  is  enabled  in  5*3,  with  a  prescribed 
control  input  if  it  is  a  merge  gate. 

If  f  #  g,  then  3  may  be  a  prefix  of  0;  i.e., 

|s|  £  |e|  s  | a | 

There  can  be  no  firing  of  d  in  A  which  is  not  in  3,  as  the  following 
reasoning  shows:  The  token  on  b  in  5*3  remains  there  until  the  next  firing 
of  d  (Theorem  7.2-4).  If  b  is  an  output  arc  of  an  actor  c,  then  f  is  an 
output  entry  of  Ex(c,n)  where  there  are  n  firings  of  c  in  A.  By  causality, 
Ex(c,n)  is  initiated  before  f;  i.e.,  in  6,  so  by  Theorem  4.3-2,  there  are 
at  least  n  firings  of  c  in  3.  Therefore,  every  firing  of  c  in  A  is  in  3. 

If  there  are  any  firings  of  d  in  A  but  not  in  3,  the  first  of  them  neces¬ 
sarily  removes  from  b  the  token  which  is  on  it  in  5*3. 


But  there  is  a 
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token  on  b  in  5*  A,  which  could  only  be  placed  there  by  a  firing  of  c  in  a 
which  is  not  in  3.  Thus,  there  are  the  sane  nuober  of  firings  of  d  (k-1) 
in  A  and  3,  hence  in  0.  Furthermore,  d  is  enabled  in  5*0 ,  with  the  proper 
control  input  if  it  is  a  merge  gate,  and  d's  input  arcs  hold  the  same 
tokens  in  5*A  and  in  5*3,  hence  in  5*0.  Finally,  if  b  is  an  output  arc 
of  actor  c,  then  there  are  the  same  number  of  firings  of  c  in  A  end  3, 
hence  in  0  (Lemma  7.2-7  below). 

The  above  is  true  for  any  Ex(d,k)€EF,  so  every  actor  in  the  set 

{d |  3k:  Ex(d,k)€EF>  is  enabled  in  5*6.  Similarly,  for  the  target  Ex(d',k')- 

of  h,  d'  is  enabled  in  5' *6',  where  0’  is  the  prefix  of  s'  whose  reduction 

is  $(a)  •  Since  the  reductions  of  6  and  6'  are  both  <J>(a) ,  6  and  6'  are 

equal;  since  S  and  s'  are  equal  states.  S' *6*  equals  5*0.  Therefore,  d' 

is  also  enabled  in  5*6  (Corollary  7.1-2),  with  the  same  control  input  if 

it  is  a  gate.  I.e.,  all  actors  in  the  set  EA  *  {d|  3k:  Ex(d,k)€EF}  U  (d* > 

are  enabled  in  5*6.  As  will  be  seen,  any  ordering  d, ,  d.,...,d  of  the 

l  a  in 

actors  in  EA  is  an  acceptable  firing  order  in  X  if  it  satisfies  the 

following:  If  g  initiates  execution  Ex(d",k"),  then  d1  -  d"  and  d 2  -  d', 

where  Ex(d* ,k*) _  is  h's  target;  otherwise,  d1  »  d'.  No  firing  of  an  actor 

in  EA  can  disable  or  affect  the  input  tokens  of  any  other  enabled  actor  in 

the  set  (Theorem  7.2-4).  Therefore,  ©<p_<p_  ...<p  where  <p.  is  a  firing  of  d . , 

l  a  n  l  x 

is  a  firing  sequence  starting  in  5  in  which  removes  the  tokens  which  are 
on  d^'s  input  arcs  in  5*0  (Corollary  7.2-1  below).  Now  X  is  chosen  to  be 
any  halted  firing  sequence  starting  in  5  having  0<p^q>2 •  •  *<|>m  as  a  prefix. 

For  any  entry  f€ag,  with  transfer  (s,Dst(e,j))  where  e  -  Ex(d,k), 
there  are  two  cases  to  consider: 


m 


Then  eCAFUEF.  If  e  is  in  AF,  it  has  already  been  argued  that  f  is  in 
t](5,0),  hence  in  tj(5, X) .  Otherwise,  d  is  in  EA,  so  there  is  some  i  such 
that  <j>^  is  a  firing  of  in  •  •<(>,,♦  Since  there  are  exactly  k-1 

firings  of  d  in  6  (Lemma  7.2-7),  is  the  k**'  firing  of  d  in  X.  As 
above,  there  is  a  prefix  Acp  of  fi  in  which  <p  is  the  kth  firing  of  d, 

<p  removes  a  token  of  value  V(f)  from  d*s  number-j  input  arc  b,  and  s  is 
Source (b, 5, A) •  If  d  is  a  merge  gate  and  b  is  its  T  (F)  input  arc,  then 
d’s  control  input  arc  holds  a  true  (false)  token  in  S’ 0  (Lemma  7.2-7), 
hence  in  5*0<p^...(pi  ^  (Corollary  7.2-1).  The  token  on  b  in  S’fi  is  on  b 
in  5*6,  and  so  is  on  b  in  5*0<p^. .  .<p^  Because  of  that  token,  b  is  an 
output  arc  of  actor  c  =»  c  is  not  enabled  in  S’6  *  c  is  not  in  EA  =»  the 
number  of  firings  of  c  in  0<p^...<pj_^  equals  the  number  in  0,  which  equals 
the  number  in  A  (Lemma  7.2-7);  from  Lemma  7.1-2,  then,  Source(b,5, A) , 
which  is  8,  equals  Source(b ,5* •••<)>£_ j)  .  Therefore,  the  kth  firing  of 
d  in  X,  (f)^,  removes  a  token  of  value  V(f)  from  d’s  number-j  input  arc,  so 
there  is  an  entry  with  value  V(f)  and  transfer  (s,Dst(Ex(d,k) ,j))  in 
T)(5,X);  i.e.,  f  is  in  r)(5,X) . 

Case  II:  d€DL 

Either  d  *  ("OD",n)  or  d  -  (c,n)  for  some  actor  label  c.  There  is  a 
token  of  value  V(f)  on  arc  b  in  5*2,  where  if  d  -  ("OD",n),  b  is  the 
number-n  program  output  arc,  and  otherwise  b  is  the  number-n  input  arc  of 
c;  furthermore,  s  -  Sour ce(b ,5,2) .  There  is  a  6  such  that  §f  is  a  prefix 
of  ag,  and  there  is  a  prefix  S  of  2  whose  reduction  Is  $(5).  As  before, 

S  is  a  prefix  of  6,  hence  of  X.  By  the  second  unexplained  requirement  in 
Definition  4.3-5,  there  is  a  token  on  b  in  S’ S,  end  if  b  is  an  input  arc 
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of  c,  no  firing  sequence  starting  in  5*S  contains  a  firing  of  c.  If  b 
is  a  program  output  arc,  then  the  token  on  b  in  S’ S  is  still  on  b  in  both 
S’Q  and  s*x.  If  b  is  an  input  arc  of  c,  then  c  never  fires  after  s  in 
either  a  or  X,  so  the  token  on  b  in  S’ S  is  there  in  and  S’X.  Further¬ 
more,  if  b  is  an  output  arc  of  an  actor  c',  that  token  keeps  c'  disabled, 
so  there  are  the  same  number  of  firings  of  c’  in  both  a  and  X  as  there  are 
in  S;  hence,  Source(b,S,X)  -  Source(b,S,2)  ■  s.  Therefore,  f  is  in  t](5,X) . 

Thus  it  is  seen  that  every  entry  in  ag  is  in  r|(S,X) .  Very  similar 
reasoning,  together  with  the  fact  that  s'’ 0'  equals  S*0»  proves  that  there 
is  an  entry  h  in  r}(S,X)  with  at  least  the  same  transfer  as  h.  Letting  6 
be  r|(S,X)  with  every  entry  in  agh  stricken  out  —  i.e.,  entry  follows 
entry  f^  in  6  if  f  f2  follows  f^  in  T](S,X)  and  neither  is  in  agh  —  agh6  is 
a  permutation  of  T)(S,X)  .  If  agh6  is  in  J  Y,  then  agh  is  in  J,  so 
T(h)  -  T(h)  -  t  is  in  ETj(ag),  as  was  to  be  shown. 

It  is  easily  seen  that  agh6  is  causal:  For  any  prefix  of  agh6, 

in  which  f  is  an  output  entry  of  an  execution  e,  if  f  is  in  ag,  or  is  h, 
then  e  is  initiated  in  y  because  ag  and  ah  are  causal.  If  f  is  in  6, 
then  the  initiating  entry  of  e  precedes  f,  either  because  it  is  in  agh  or 
because  it  precedes  f  in  the  causal  t)(S,X). 

Proving  that  $(agh6)  is  the  reduction  of  X  is  more  difficult.  Let¬ 
ting  the  targets  of  g  and  h  be  Ex(d”,k")  and  Ex(d'  ,«c' )  respectively, 

$(agh)  is  given  by: 

a.  if  neither  g  nor  h  is  an  initiating  entry,  then  $(a),  the  reduction 
of  8 

b.  if  only  g  is  an  initiating  entry,  then  $(a)<p  »  where  <p  is  a  firing 

A  A 

of  d" 
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c.  If  only  h  is  an  initiating  entry,  then  $(0)4^*  where  ^  is  i  firing 
of  d’ 

d.  if  both  are  initiating  entries,  then  4>( a) 4^4^ • 

By  construction,  if  g  is  an  initiating  entry,  then  there  is  a  prefix  6<p^q>2 
of  X  in  which  4^  is  a  firing  of  d"  and  4^  is  a  firing  of  d' ;  otherwise, 
there  is  a  prefix  in  which  <p^  is  a  firing  of  d* .  From  these  two 
observations,  $(agh)  is  the  reduction  of  a  prefix  A  of  X,  the  length  of 
which,  m,  equals  the  length  of  $(agh). 

Since  ♦(tj(S,X))  Is  the  reduction  of  X  (Lemma  4.3-3),  the  n^  firing 
in  X  is  a  firing  of  actor  d  iff  the  n^  execution  initiated  in  r|(5»X)  is 
an  execution  of  d.  For  n  5  m,  this  is  iff  the  n**1  firing  in  $(agh6)  is  a 
firing  of  d.  The  first  m  executions  initiated  in  T)(S,X)  are  initiated  in 
ti(S,A).  Ex(d,k)  is  among  these  iff  there  are  at  least  k  firings  of  d  in 
A  iff  Ex(d,k)  is  initiated  in  agh  (by  Theorem  4.3-2,  since  <Hagh)  is  the 
reduction  of  A) .  Therefore,  for  any  n  >  m  and  any  i,  the  i^  initiating 
entry  in  agh6,  f’,  precedes  the  nC^  such  entry,  f,  iff  f  is  in  6  and 
either  i  -  m,  or  1  >  m  and  f *  is  in  6  iff  the  execution  initiated  by  f*  is 
Initiated  among  the  first  m  in  T|(S,X),  or  f*  precedes  f  in  r|(S,X)  (by  con¬ 
struction  of  6)  iff  the  the  iC^  initiating  entry  in  T)(S,X)  (which  is  not 
necessarily  f’)  precedes  the  n**1  initiating  entry  (which  is  necessarily  f ) . 
Thus,  the  n  ^  execution  initiated  in  r )(£,X)  is  an  execution  of  d  iff  the 
n  ^  execution  Initiated  in  orgh6  is  an  execution  of  f;  hence  the  n^  firing 
in  the  reduction  of  X  is  a  firing  of  d  iff  the  n**1  firing  in  $(agh6)  is  a 
firing  of  d.  I.e.,  $(agh5)  is  the  reduction  of  X. 

The  remainder  of  the  proof  that  agh6  is  in  Jc  v  uses  reasoning  devel- 
oped  earlier  in  conjunction  with  the  proof  of  commutativity.  It  has  been 


i 

\ 


-392- 


seen  Chat  agh6  is  a  causal  permutation  of  r\(£,X)  for  which  $(agh6)  is  the 
reduction  of  X.  The  goal  then  is  to  show  that  for  every  prefix  yf  of 
aghfi,  letting  A  be  the  prefix  of  X  whose  reduction  is  #(y) ,  there  is  an 
initial  modified  state  5^  equal  to  S  and  a  halted  firing  sequence  2^ 

starting  in  5.,  and  there  is  a  prefix  y'f'  of  some  e€J  n  >  where 

■1- 

T(f')  ■  T(f )  such  that,  letting  A'  be  the  prefix  of  2^  whose  reduction  is 
4>(y')*  5^' A'  equals  S'  A.  If  f  is  in  ag,  then  since  ag  is  a  prefix  of 
P€J^  *  S,  *  2,  y'f'  -  yf,  and  A*  *  A;  clearly  S^' A'  equals  5’A- 

If  f  is  in  6,  then  there  is  a  y'  such  that  y'f  is  a  prefix  of  ri(5»X)€J 
All  input  entries  to  f's  target  execution  e  are  consecutive  in  t](s,X),  so 

all  input  entries  to  e  in  6  are  consecutive.  For  any  other  execution 

e'  *  e,  the  initiating  entry  of  e*  is  not  between  f  and  e's  initiating 
entry  in  agh6,  and  so  it  precedes  f  (is  in  y)  iff  it  precedes  e's 
initiating  entry  in  aghfi  iff  it  precedes  e's  initiating  entry  in  ti(S,X) 
(by  the  above  paragraph)  iff  it  precedes  f  in  r|(s,X)  (is  in  y').  There¬ 
fore,  there  are  the  same  number  of  initiating  entries  in  y  and  y',  so 
there  is  some  n  such  that  |$(y')  (  *  |$(y)  j  *  n.  $(y)  is  the  length-n 
prefix  of  $(agh6)  and  <$(y')  is  the  length-n  prefix  of  $(t](S,X))  ;  both 
<$(agh6)  and  <$Cn(s, X))  are  the  reduction  of  X,  so  $(y')  *  $(y)  .  I.e., 

y’  and  y  have  the  same  reduction,  so  5^'A'  equals  £*A> 

Finally,  if  f  *  h,  f's  target  is  Ex(d',k').  Since  that  execution  is 

not  initiated  in  y  -  ag,  if  g  initiates  an  execution,  it  is  not  an  execu¬ 

tion  of  d'.  Therefore,  $(y),  the  reduction  of  A,  is  either  $(a)  or  $(a)(p 
where  <p  is  not  a  firing  of  d'.  There  is  a  prefix  ah  of  p'€J_,  n,  such 

U  9w 

that  T(h)  -  T(h)  •  T(f),  and  the  reduction  of  A  is  either  $(a)  or  4>(a)cp. 
Letting  A'  be  the  prefix  of  2'  whose  reduction  is  4>(a) ,  A'  equals  either 
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A,  or  6  where  A  ■  0<p  and  <p  is  not  a  firing  of  d'.  Therefore,  S' -A'  equals 
either  5* A  or  5*0.  If  S'* A'  equals  5*A,  then  the  reasoning  given  at  the 
end  of  the  discussion  of  Case  I  of  the  proof  of  commutativity  (Section 
7.2.3)  applies  for  all  f  in  aghfi,  so  agh6  is  in  If  5'*A'  equals  5*6, 

however,  the  following  extended  deduction  is  needed  for  f  *  h. 

Since  ah  is  a  prefix  of  (3'€J_,  ol,  d'fDL  •  d’  is  enabled  in  5**A'  =» 

D 

by  Corollary  7.1-2,  d'  is  enabled  in  the  equal  state  5*9  =»  by 
Theorem  7.2-4,  d'  is  enabled  in  5*3cp,  since  cp  is  not  a  firing  of  d'; 
furthermore,  if  d'  is  a  gate,  its  control  input  arc  holds  the  same  token  in 
5*9,  hence  in  5*9cp,  as  in  S'" A'.  Otherwise,  d'fDL=»d'  •*  (c,n)  and  there  is 
a  particular  arc  b  (the  number-n  input  arc  of  the  actor  labelled  c  if 
c  *  "OD")  which  holds  a  token  in  5'*A';  furthermore,  if  c  *  "OD",  no 
firing  sequence  starting  in  5'* A’  contains  a  firing  of  c  =>  b  holds  a  token 
in  5*9,  and  no  firing  sequence  starting  in  5*6  contains  a  firing  of  c 
(Corollary  7.1-2)  =»  tp  in  particular  is  not  a  firing  of  c  3  there  is  a 
token  on  b  in  5*0<p  *  5* A  (Theorem  7.2-4)  and  no  firing  sequence  starting 
in  5* A  contains  a  firing  of  c.  Therefore,  agh6  is  in  x,  so  agh  is  in 
J  and  T(h)  *  T(h)  *  t  is  in  ETj(ag),  as  was  to  be  proven.  (As  noted 
earlier,  for  purposes  of  efficiency,  a  single  lemma.  Lemma  7.2-8  below, 
is  fashioned  to  cover  the  cases  both  that  5' *  A'  equals  5*9  and  that  5’* A' 
equals  5* A.) 

The  rigorous  proof  that  every  expansion  satisfies  the  Persistence 
Axiom  is  given  on  the  following  pages. 


Lean*  7.2-7  Given  any  LQ  program  P,  let  Int(P)  be  (St,/, IE).  Let  5  be 
any  initial  modified  state  for  P  and  let  2  be  any  halted  firing  sequence 
starting  in  5.  Let  ah  be  any  prefix  of  any  p€J  ,  and  let  6  be  the 
prefix  of  2  whose  reduction  is  4>(a).  Let  e  -  Ex(d,k)  be  any  execution 
which  has  an  input  entry  in  ah  but  is  not  initiated  in  a,  and  in  which 
d€ST-DL.  Let  g  ■  Ent(e,j)  be  any  input  entry  to  e  in  ah  and  let  b  be 
d's  number- j  input  arc.  Finally,  let  A<p  be  the  prefix  of  2  in  which  <p  is 
the  kth  firing  of  d.  Then 

A:  d  is  enabled  in  5*6,  and  if  d  is  a  merge  gate  and  b  is  it  T  (F) 
input  arc,  then  d's  control  input  arc  has  a  true  (false)  token  in 
5*9. 

B:  There  are  exactly  k-1  firings  of  d  in  0. 

C:  The  token  on  b  in  5* A  i8  on  b  in  5*0. 

D:  b  is  an  output  arc  of  actor  c  =>  there  are  the  same  number  of  firings 
of  c  in  0  as  in  A. 

Proof: 

(1)  p  is  a  causal  permutation  of  t]CS>,2),  so  g  is  in  r|(5,2)  Def.  4.3-5 

(2)  Let  T(g)  be  (s,Dst(e, j)) .  Then  ip  removes  a  token  from  b  in  2,  and 

s  -  Source(b,5,A)  (1)+Alg.  4.3-1 

(3)  Let  6  be  such  that  6g  is  a  prefix  of  p.  Let  3  be  the  prefix  of  2 

whose  reduction  is  $(6) •  Then  3  and  A  are  firing  sequences 
starting  in  5  Def.  2.3-1 

(4)  d  is  enabled  in  5*3  and  if  d  is  a  merge  gate  and  b  is  it  T  (F) 

input  arc,  then  d's  control  input  arc  has  a  true  (false)  token 


in  5*3 


(3)+Def .  4.3-5 
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(5)  e  is  not  initiated  in  6  or  in  a  (3)+(l)+Def.  4.2-6 

(6)  There  are  fewer  than  k  firings  of  d  in  S  and  in  @ 

(3)+(l)+(5)+Thm.  4.3-2 

(7)  S  is  a  prefix  of  A,  as  is  0  (6) 

(8)  Let  s  *  Src(Ex(c' ,n) ,i) .  c'€DL  =>  if  b  is  an  output  arc  of  an  actor 

c,  then  there  are  zero  firings  of  c  in  A,  hence  in  3 

(2)+(3)+Lemma  7.1—3 

(9)  c'€St-DL  =»  c'  *  c,  the  label  of  a  actor  in  P,  b  is  an  output  arc 

of  c,  and  there  are  exactly  n  firings  of  c  in  A  (8)+(2)+Alg.  4.3-1 

(10)  A  Ex(c,n)  is  initiated  in  6  (3)+(2)+(8)+(l)+Defs .  4. 2-5+4. 2-7 

(11)  =>  there  are  at  least  n  firings  of  c  in  S  (3)+(l)+Thm.  4.3-2 

(12)  =>  there  are  exactly  n  firings  of  c  in  3  as  well  as  in  A  (7)+(9) 

(13)  If  b  is  an  output  arc  of  an  actor  c,  then  there  are  the  same  number 

of  firings  of  c  in  S  as  in  A  (8)+(9)+(12) 

(14)  There  is  a  token  on  b  in  S' 3  (4)+Defs.  3. 3-6+2. 1-4 

(15)  There  is  no  p  such  that  c€Q(p)  in  S' S  (14)+Cor.  7.1-1 

(16)  There  is  a  prefix  A  of  2,  |s|  <  |a|  2  | A |  such  that,  for  some  p, 

c€Q(p)  in  S'  A  =»  there  is  a  prefix  X<p  of  2,  |s|  <  |Xcp  |  2  |a| 

c  c 

such  that  cjfQ(p)  in  S'X  but  c€Q(p)  in  S‘Xcpc  (15) 

(17)  =»  q>c  is  a  firing  of  c  Def .  3.3-9 

(18)  If  b  is  an  output  arc  of  an  actor  c,  then  there  is  no  prefix  A  of 

2,  |s|  2  | A |  2  | A |  such  that,  for  some  p,  c€Q(p)  in  S' A 

(15)+(16)+(17)+(13) 

Prove  that  A,  B,  and  C  are  true  of  every  prefix  X  of  A  longer  than  3. 

Proof  is  by  induction  on  the  length  of  X.  Induction  hypotheses  are  A  with 
X  substituted  for  6,  and 
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E:  there  are  the  same  number  of  firings  of  d  in  X  as  in  S,  and 
F:  if  there  is  a  token  on  b  in  S' S,  then  the  same  token  is  on  b  in  S'X. 
Basis:  X  ■  S.  E  and  F  are  vacuously  true. 

(19)  A  (A) 


Induction  step:  Assume  the  induction  hypotheses  are  true  for  any  X, 

| H |  5  |x|  <  )A| ,  and  consider  prefix  X<p  of  8. 

(20)  d  is  enabled  in  S’X  and  if  d  is  a  merge  gate  and  b  is  its  T  (F) 

input  arc,  then  d's  control  input  arc  holds  a  true  (false)  token 
in  S'X  ind.  hyp. 

(21)  ip  is  a  firing  of  d  =>  there  is  no  token  on  b  in  S’X cp 


(20)+Defs .  3. 3-9+2. 2-1+2. 1-5 

(22)  =»  there  is  a  prefix  Acp'  of  S2,  |x<p|  <  |A<p*  |  5  | A )  such  that  there 

is  no  token  on  b  in  S'  A  but  there  is  one  in  S'  Atp'  (2) 

(23)  =»  b  is  an  output  arc  of  an  actor  c  and  either  ip'  is  a  firing  of  c 


or  there  is  a  p  such  that  c€Q(p)  in  S'  A 
(2A)  cp  *  is  not  a  firing  of  c 

(25)  There  is  no  p  such  that  cfQ(p)  in  S’  A 

(26)  cp  is  not  a  firing  of  d 

(27)  A  for  X<p 

(28)  E  for  Xcp 

(29)  If  there  is  a  token  on  b  in  S' 3,  then  the  same  token  is  on  b  in  S'X 

ind.  hyp. 


Defs.  3. 3-9+2. 2-5 
(22)+(13) 
(22)+(18) 
(21)+(23)+(24)+(25) 
(20)+(26)+Thm.  7.2-4 
(26)+ind.  hyp. 


(30)  F  for  X(p  (29)+(26)+Thm.  7.2-4 

Thus  it  is  proven  by  Induction  that 


(31)  For  any  prefix  X  of  Q,  |s|  <  |x|  <  |a|,  d  is  enabled  in  S'X  and  if 
d  is  a  merge  gate  and  b  is  it  T  (F)  input  arc,  then  d's  control 
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input  arc  holds  a  true  (false)  token  in  5*X, 

(32)  if  there  is  a  token  on  b  in  5*S»  it  is  on  b  in  S'X,  and 

(33)  there  are  the  same  number  of  firings  of  d  in  A  as  in  S,  which  is  k-1 


(34)  Since  g€ah,  1 6 1  £  |a|,  so  |<*>(6)  |  5  ^(a)) 

(35)  |s|  <  |9|  <  |d| 

(36)  A 

(37)  B 

(38)  C 

(39)  D 


(3)+Def.  4.3-4 
(3)+(34)+(7)+Def.  2.4-5 
(35)+(31) 
(35)+(33) 
(35)+(14)+(32) 
(35)+(13) 


A 

Corollary  7.2-1  Given  any  program  P,  let  S  be  any  initial  modified  state 

of  P  and  let  0  be  any  firing  sequence  starting  in  5.  Let  d^,  d^ . d^ 

be  any  ordered  collection  of  distinct  actors  in  P,  all  of  which  are 
enabled  in  5‘0-  Then 

A:  0<Pj4>2*  *  ‘‘Pm*  where  f°r  i*l»»«»»®»  Is  a  firing  of  d^,  is  a  firing 
sequence  starting  in  S,  and 

B:  for  i  *  l,...,m,  each  token  on  an  input  arc  of  d^  in  S‘8  is  on  that 
arc  in 


Proof ;  By  induction  on  the  index  of  the  actors  in  the  collection  d^, 

. ..,  d  .  Induction  hypotheses  are:  For  any  n,  1  <  n  S  m, 
m 

A:  0<p^...<pn  is  a  firing  sequence  starting  in  S, 

B:  for  i-l,...,n,  for  j-i,...,m,  each  token  on  an  input  arc  of  d^  in 

S’Q  is  on  that  arc  in  •  .  .  ,<p^  and 

C:  For  i<"n,...,m,  d.  is  enabled  in  5'0<p,  .  ..<p  .  • 

l  1  n— l 

Basis:  n  ■  1. 

(1)  di  is  enabled  in  S’B  for  i»n,...,m.  0<p^,  where  is  a  firing  of 
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d^,  is  a  firing  sequence  starting  in  5.  For  i»l,  for  j“i . . 

each  token  on  an  input  arc  of  in  S'  9  is  on  that  arc  in  S'  0 

Def.  2.3-1 

Induction  step:  Assume  that  the  induction  hypotheses  are  true  for  any  n, 
1  S  n  <  m. 

(2)  For  i-n,  d^  is  enabled  in  S’  ©cp^. .  and  ®<l>i***<Pn  is  a 

firing  sequence  starting  in  S  ind.  hyp. 

(3)  For  i-it+1 , . . .  ,m ,  d  is  enabled  in  5*6^.,... <p  (2)+Thm.  7.2-4 

1  J-  n 

(4)  ©^...tp  q>  is  a  firing  sequence  starting  in  S  (3)+Def.  2.3-1 

(5)  For  i-l,...,n,  for  j*i,...,m,  each  token  on  an  input  arc  of  d^  in 

5*6  is  on  that  arc  in  5*©<p^. .  ind.  hyp. 

(6)  For  i*irH,  for  j-i,...,m,  each  token  on  an  input  arc  of  d^  in  5*6 

is  on  that  arc  in  5*0<p^...«p^  ^  and  t*1®0  in  5*9<Pj. .  ■<Pi_2(PjL_i 

(5)+(2)+Thm.  7.2-4 


(7)  For  i»l,...,n+l,  for  j*i,...,ra,  each  token  on  an  input  arc  of  d^ 

in  S*0  is  on  that  arc  in  S*©tp^...<p^  ^  (5)+(6) 

Thus  it  is  proven  by  Induction  that  A  and  B  are  true  for  n-m;  i.e.. 


6<p,  ...ip  is  a  firing  sequence  starting  in  5,  and  for  i-l,...,m,  each 
1  m 

token  on  an  input  arc  of  d^  (in  particular)  in  5*6  is  on  that  arc  in 


5 '  ©<p^ ...  <P  ^ 


Lemma  7.2-8  For  any  program  P,  let  5  be  any  initial  state  for  P,  and  let 
2  be  any  halted  firing  sequence  starting  in  5.  Let  c 0  be  any  causal  per¬ 
mutation  of  t](5,2)  such  that  <3>(<o)  is  the  reduction  of  2.  If 
(1)  For  every  prefix  ek  of  co,  letting  Ex(d,m)  be  the  target  of  k  and 
letting  A  be  the  prefix  of  2  whose  reduction  is  4>(e),  there  is  an 
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initial  state  S'  for  F  and  a  halted  firing  sequence  Q*  starting  in 
S',  and  there  is  a  prefix  e'k'  of  some  {3€J  ,  ,  such  that  T(k')  ■  T(k) 
and,  for  a'  the  prefix  of  s'  whose  reduction  is  4>(e')»  s' ’  A'  equals 
either  S’  A  or  S‘3  where  a  ■  E<p  and  cp  is  not  a  firing  of  d, 
then  co  is  in  J 

S,£ 

Proof ; 

(2)  Let  ek  be  any  prefix  of  co,  let  the  destination  in  T(k)  be 

Dst(Ex(d,m) ,j) ,  and  let  A  be  the  prefix  of  Q  whose  reduction  is 
$(e).  Then  there  is  an  initial  state  s'  for  P  and  a  halted  firing 
sequence  starting  in  S',  and  a  prefix  e'k'  of  some  p€j  ,  , 
such  that  T(k')  «■  T(k)  and,  for  a'  the  prefix  of  a'  whose  reduc¬ 
tion  is  <J>(E'),  S'* a'  equals  either  s‘A  or  S’ S  where  a  “  Hep  and  <p 
is  not  a  firing  of  d  (1) 

(3)  If  A  ■  Hep  and  <p  is  not  a  firing  of  d,  then  every  input  arc  of  d 

which  holds  a  token  in  S*H  holds  the  same  token  in  S’A,  and  d  is 
enabled  in  S’ H  =»  d  is  enabled  in  S’A  (2)+Thm.  7.2-4 

(4)  Every  actor  is  enabled  in  s'* A'  iff  it  is  enabled  in  any  state 

equal  to  s' ’A'  Cor.  7.1-2 

(5)  Every  control  arc  holds  only  non-pointer-valued  tokens  Def.  2.2-1 

(6)  Every  control  arc  holds  tokens  of  the  same  value  in  two  equal 

states  (5)+Defs.  7. 1-2+3. 4-1 

(7)  If  S’  A  equals  s' ’A',  then  d  is  a  gate  =»  its  control  input  arc  holds 

the  same  token  in  S’A  as  in  s' ’A',  and  d  is  enabled  in  s'* A'  ** 
d  is  enabled  in  S’A.  If  S’ H  is  equal  to  s'* A'  and  <p  is  not  a 
firing  of  d,  then  d  is  enabled  in  s'* A'  *»  d  is  enabled  in  s’ E  =» 
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d  is  enabled  in  5* A  a  if  d  is  a  gate,  its  control  input  arc  holds 
a  token  in  S' *4'  =>  that  arc  holds  the  same  token  in  S' S,  hence  in 
S'  A  (6)+(4)+(3)+Oefs .  3. 3-6+2. 1-4 

(8)  If  d/fDL,  let  b  be  the  number-j  input  arc  of  the  actor  labelled  d. 

That  actor  is  enabled  in  S'" A',  hence  in  5* A,  and  if  it  is  a 
merge  gate  and  b  is  its  T  (F)  input  arc,  then  its  control  input 
arc  holds  a  true  (false)  token  in  S' *A'»  hence  in  S'  A 

(2)+(7)+Def .  4.3-5 

(9)  Since  N  and  V  are  infinite,  for  any  firing  sequence  X,  there  is 

P 

an  equal  firing  sequence  X'  such  that  the  multiset  of  pointer-node 
pairs  in  the  Copy  firings  in  X’  is  consistent  with  the  heap 
in  S'-A’  Defs.  2 . 2-1+2 . 4-5+5 . 2-3 

(10)  For  any  firing  sequence  starting  in  any  state  equal  to  S' '  A-* ,  there 

is  an  equal  firing  sequence  starting  in  S'' A*  (9)+Cor.  7.1-2 

(11)  If  S'  A  equals  S'* A',  there  is  a  firing  sequence  starting  inS'A  which 

contains  a  firing  of  actor  c  =»  there  is  a  firing  sequence  starting 
in  S’ *A'  which  contains  a  firing  of  c.  If  S' S  equals  S'' A',  there 
is  a  firing  sequence  X  starting  in  S'  A  which  contains  a  firing  of 
c  =»  there  is  a  firing  sequence  <pX  starting  in  S’S  which  contains 
a  firing  of  c  =»  there  is  a  firing  sequence  starting  in  S'' A' 
which  contains  a  firing  of  c  (10)+Defs.  2. 4-5+2. 3-1 

(12)  dfDL  and  d  -  (c,n)  =>  letting  b  be  the  number-n  program  output  arc 

of  P  if  c  ■  "0D",  or  else  the  number-n  input  arc  of  the  actor 
labelled  c,  there  is  a  token  on  b  in  S'' A',  and  [c  is  an  actor 
label  •  there  is  no  firing  sequence  starting  in  S'' A'  which 
contains  a  firing  of  c]  (2)+Def.  4.3-5 


o-, 
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(13)  »  there  is  a  token  on  b  in  S'A,  if  5* A  equals  S'  *A' ,  or  in  5* S, 

if  S' S  equals  S’*A'  (2)+Defs.  7. 1-2+3. 4-1 

(14)  A  (c  is  an  actor  label  »  there  is  no  firing  sequence  starting  in 

£*A  which  contains  a  firing  of  c,  and  if  S' S  equals  S'* A',  <p  is 
not  a  firing  of  c]  (2)+(ll) 

(15)  ■»  there  is  a  token  on  b  in  S' A  Thm.  7.2-4 

(16)  co  is  in  J5  (2)+(8)+(12)+(14)+(15)+Def.  4.3-5 

A 

Theorem  7 , 2-5  Every  expansion  (Int,J)  from  EE(Ljj,M)  satisfies  the 
Persistence  Axiom. 

Proof ; 

(1)  Let  J  be  any  job  in  J.  There  is  an  Lp  program  P  such  that  Int  is 

Int(P),  and  there  is  an  equivalence  class  E  of  initial  modified 
states  of  P  such  that  J  ■  J  Defs.  4. 3-1+4. 3-2 

(2)  Let  ag  be  any  computation  in  J.  There  is  an  initial  modified  state 

S6E  and  a  halted  firing  sequence  &  starting  in  S  such  that  ag  is 
a  prefix  cf  some  (3  in  J0  n  (1)+Def.  4.3-3 

&  f  uG 

(3)  Let  0  be  the  prefix  of  ffi  whose  length  equals  that  of  4>(a) .  Then 

0  is  a  firing  sequence  starting  in  S  whose  reduction  is  $(a) 

Lemma  7 . 2-2+Def .  2.3-1 

(4)  Let  Int(P)  •  (St,  /,IE).  Let  EF  be  the  set  of  executions  (Ex(d,k)| 

d€St-DL  and  Ex(d,k)  is  not  initiated  in  a  but  has  an  input  entry 
in  ag}.  Let  e  -  Ex(d,k)  be  any  execution  in  EF.  Let  A<p  be  the 
prefix  of  S2  in  which  «p  is  the  kC^  firing  of  d.  Let  f  ■  Ent(e,j) 
be  any  input  entry  to  e  in  ag  and  let  b  be  d's  number-J  input 


arc.  Then 
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(4a)  d  is  enabled  in  S'0,  and  if  d  is  a  merge  gate  and  b  is  its  T  (P) 

input  arc,  then  d's  control  input  arc  holds  a  true  (false)  token 

in  5*0, 

(4b)  there  are  exactly  k-1  firings  of  d  in  6, 

(4c)  there  is  a  token  on  b  in  S*&  which  is  on  b  in  5*0,  and 

(4d)  b  is  an  output  arc  of  an  actor  c  =»  there  are  the  same  number  of 

firings  of  c  in  0  as  in  4  (2)+(3)+Lemma  7.2-7 

(5)  Let  t  be  any  transfer  in  ET  (a)  except  T(g).  Then  there  is  an 

J 

entry  h  with  T(h)  ■  t  such  that  ah  is  in  J  Def.  6.2-2 

(6)  There  is  an  initial  modified  state  S’€E  and  a  halted  firing  sequence 

S2 *  starting  in  S'  such  that  ah  is  a  prefix  of  some  ffii 

(l)+(5)+Def.  4.3-3 

(7)  Let  0'  be  the  prefix  of  2'  whose  length  equals  that  of  $(a) .  Then 

O'  is  a  firing  sequence  starting  in  5*  whose  reduction  is  <t>(a) 

(6)+Lemma  7.2-2+Def.  2.3-1 

(8)  Let  Dst^'.J')  where  e'  ”  Ex(d',k’)  be  the  destination  in  T(h) . 

Then  e*  has  an  input  entry  in  ah  but  is  not  initiated  in  a 

Def s .  4 . 2-5+4 . 2-6 

(9)  If  d'€St-DL,  let  4'^*  be  the  prefix  of  2'  in  which  <pr  is  the  k,th 

firing  of  d*,  and  let  b’  be  the  number-}'  input  arc  of  d'.  Then 
(9a)  d'  is  enabled  in  S'  *8',  and  if  d'  is  a  merge  gate  and  b'  is  its 

T  (F)  input  arc,  its  control  input  arc  holds  a  true  (false)  token 

in  s'-e', 

(9b)  there  are  exactly  k'-l  firings  of  d'  in  0', 

(9c)  there  is  a  token  on  b’  in  5* *4’  which  is  on  b*  in  S'  *0' ,  and 
(9d)  b'  is  an  output  arc  of  an  actor  c'  »  there  are  the  same  number  of 
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(10) 

(ID 

(12) 

(13) 

(14) 


(15) 

(16) 


(17) 


(18) 


(19) 

(20) 


firings  of  c'  in  6*  as  in  A'  (4)+(6)+(7)+(8)+Leama  7.2-7 

S'  equals  S  (l)+(2)+(6) 

0’  equals  0  (3)+(7)*H)ef .  2.4-5 

S’*0‘  equals  5*0  (10)+(11)+Thm.  7.1-2 

d’  is  enabled  in  S'Q  (12)+(9a)+Cor.  7.1-2 

If  d*  is  a  merge  gate  and  b'  is  its  T  (F)  input  arc,  then  its 
control  input  arc  holds  a  true  (false)  token  in  S‘B 

(9a)+(12)+Defs.  7. 1-2+3. 4-1 
There  are  exactly  k'-l  firings  of  d'  in  0  (9b)+(ll)+Def .  2.4-5 

Let  EA  be  the  set  {d|  3k:  Ex(d,k)€EF),  if  d’fDL,  or  {d|  3k: 

Ex(d,k) €EF}U{d' },  if  d'€St-DL.  Then  each  actor  in  EA  is  enabled 


in  5*0  (4)+(13) 

Let  d^,  d2 . d^  be  any  ordering  of  the  actors  in  EA  satisfying 

the  following:  If  g  initiates  Ex(d,,,k"),  then  d^  -  d"  and  d2  -  d', 
otherwise,  d^  ■  d' 

0<P^<P2  • .  *<Pm*  where  for  i*l,...,m,  «p^  is  a  firing  of  d^,  is  a  firing 
sequence  starting  in  S,  and  for  i"l,...,m,  each  token  on  an  input 
arc  of  d^  in  S’Q  is  on  that  arc  in  £'0(p^. . 

(2)+(3)+(16)+(17)+Cor .  7.2-1 

P  is  a  causal  permutation  of  r|(S,£2)  and  (3*  is  a  causal  permutation 
of  T)(S’  ,£’)  (2)+(6)+Def.  4.3-5 

Let  X  be  any  halted  firing  sequence  starting  in  S  which  has 
&Pl* •  .<Pm  as  a  prefix.  Let  AF  be  the  set  of  executions  {Ex(d,k)| 
dfSt-DL  and  Ex(d,k)  is  initiated  in  a}.  Let  f  be  any  entry  in  ag. 
Then  f  is  in  t](5,J3)  (2)+(19) 


(21)  Let  a  -  Ex(d,k)  be  the  target  of  f.  Then  d€St-DL  -  e€AFUEF  (4)+(20) 
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(22)  a  letting  V(f)  be  v  and  T(£)  be  (s(Dst(Ex(d,k) ,j)) ,  and  letting 

b  be  the  number-j  Input  arc  of  d,  there  Is  a  prefix  A<j>  of  Q  in 
which  <p  is  the  kC^  firing  of  d,  <p  removes  a  token  of  value  v 
from  b,  s  -  Source(b,5,  A)  *  and  f  is  in  ■n(S.Atp)  (20)+Alg.  4.3-1 

(23)  d€St-DLAe€AF  *»  there  are  at  least  k  firings  of  d  in  6 

(l)+(2)+(19)+(3)+Thm.  4.3-2 


(24)  •  flip  is  a  prefix  of  6,  hence  of  X  (22)+(20) 

(25)  »  there  is  a  prefix  Acp  of  X  such  that  f  is  in  t}(5,A(p)  (22) 

(26)  »  f  is  in  ti(S,X)  Alg.  4.3-1 

(27)  d€St-DLAe€EF  -  d€EA  (16) 

(28)  a  there  is  an  i  such  that  d  ■  d^  in  the  ordering  of  the  actors  in 

EA  (17) 

(29)  »  in  Oip, . .  .<p  ,  cp.  is  a  firing  of  d  (18) 

1  IB  x 


(30)  d€St-DLAe€EF  «•  since  all  actors  in  EA  are  distinct,  cp^  is  the  kth 

firing  of  d  in  X  (27)+(29)+(4b)+(20) 

(31)  A  [d  is  a  merge  gate  and  b  is  its  T (F)  input  arc  =»  d's  control 

input  arc  holds  a  true  (false)  token  in  5*6  (4a) 

(32)  *•  d's  control  input  arc  holds  a  true  (false)  token  in  5*6tp^« . 

(28)+(18) 

(33)  =»  there  is  a  token  on  b  in  5*9  (27)+(16)+(31)+Defs.  3. 3-6+2. 1-4 

(34)  »  there  is  a  token  on  b  in  5*9<j>2*  •  identical  to  the  one  on  b 

in  5’ A,  and  it  is  removed  by  <p^ 

(28)+(4c)+(18)+(31)+(32)+Defs .  3. 3-9+2. 1-5 

(35)  A  (b  is  an  output  arc  of  an  actor  c  •  c  is  not  enabled  in  5*6 

Defs.  3. 3-6+2. 1-4 


(36)  -  clEA 


(16) 
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(37)  =»  the  number  of  firings  of  c  in  ®^2. '  * '  ^i-l  is  equal  to  the  number 

of  firings  of  c  in  0  (18)+(17) 

(38)  which  is  equal  to  the  number  of  firings  of  c  in  A]  (30)+(4d) 

(39)  S  equals  S  Defs.  7. 1-2+3. 4-1 

(40)  d€S t-DLAe€EF  =»  Source (b,S,  0<p^. .  .cp,^)  ■  Source(b,S,  A)  *  s 

(39)+(3)+(18)+(35)+(37)+(22)+(38)+Lemma  7.1-3 

(41)  -  f  is  in  iite.X)  (30)+(34)+(22)+Alg.  4.3-1 

(42)  For  any  entry  ffag  whose  target  is  Ex(d,k),  d€St-DL  »  f  is  in  rj^X) 

(20)+(21)+(23)+(26)+(40)+(41) 

(43)  h  is  in  r|(5’  ,2')  (6)+(19) 

(44)  Let  Ex(d',k')  be  the  target  of  h.  Then  d'€St-DL  =»  d'€E A  (16) 

(45)  A  letting  T(h)  be  (s,Dst(Ex(d' ,k’) ,j ')) ,  there  is  a  prefix  A'tp'  of 

2'  in  which  tp*  is  the  k'^  firing  of  d',  cp'  removes  a  token  from 
b’,  the  number-,)’  input  arc  of  d’,  and  s  ■  Source(b*  ,S' » A') 

(43)+Alg.  4.3-1 

(46)  ==>  there  is  an  i  such  that  d  ■  d^  in  the  ordering  of  actors  in  EA(17) 

(47)  =»  in  0(p^...(pm,  <p^  is  a  firing  of  d*  (18) 

(48)  =»  since  each  actor  in  EA  is  distinct,  tp^  is  the  k,tl1  firing  of  d' 

in  X  (45)+(8)+(15)+(20) 

(49)  a  [d *  is  a  merge  gate  and  b'  is  its  T  (F)  input  arc  =>  its  control 

input  arc  holds  a  true  (false)  token  in  S’ 0  (45)+(18)+(14) 

(50)  =>  its  control  input  arc  holds  a  true  (false)  token  in  S’Qcp^. .  •<P1_^J 

(46)+(18) 

(51)  •  there  is  a  token  on  b*  in  S’0  (44)+(16)+(49)+Defs.  3. 3-6+2. 1-4 

(52)  »  there  is  a  token  on  b*  in  5*0cp^. . *<P^_j_*  an<*  *8  removed  by 

(46)+(18)+(49)+(50)+Defs .  3. 3-9+2 .1-5 
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(53)  A  [b  *  Is  an  output  arc  of  an  actor  c  =»  c  is  not  enabled  In  5*  0 

Defs.  3. 3-6+2. 1-4 

(54)  *»  c£EA  =»  the  number  of  firings  of  c  in  ©tp^ ... i  e9ual8  the  number 

of  firings  of  c  in  0  (16)+(18)+(17) 

(55)  which  equals  the  number  of  firings  of  c  in  0'  (ll)+Def.  2.4-5 

(56)  which  equals  the  number  of  firings  of  c  in  A']  (45)+(8)+(9d) 

(57)  =»  Source(b',5,0(p^.  ••<pi_^)  *  Source(b *  ,5* ,  A’)  *  s 

(10)+(7)+(18)+(53)+(54)+(56)+(45)+Lemma  7.1-3 

(58)  =»  there  is  an  entry  in  r\(S,X)  with  transfer  (s,Dst(Ex(d' ,k') ,j ')) , 

which  is  T(h)  (48)+(52)+(45)+Alg.  4.3-1 

(59)  Let  f  be  any  entry  in  ag,  and  let  6  be  such  that  6f  is  a  prefix  of 

ag,  hence  p.  Let  3  be  the  prefix  of  2  whose  length  equals  that 
of  4>(6) .  Then  S  is  a  firing  sequence  starting  in  S  whose  reduc¬ 
tion  is  $(6)  (2) 4-Lemma  7.2-2+Def.  2.3-1 

(60)  |*(6)|  5  |$(a)|  (59)+Def. .4.3-4 

(61)  S  is  a  prefix  of  0,  hence  of  X  (3)+(59)+(60)+(20) 

(62)  Let  Ex(d,k)  be  the  target  of  f.  d/fSt-DL  •»  d  -  (c',n)  where  c’  is 

either  the  label  of  an  actor  in  F  or  "0D",  there  is  an  arc  b 
uniquely  related  to  d  which  holds  a  token  of  value  V(f)  in  5*2, 
and  T(f)  -  (s,Dst(Ex(d,0) ,1))  where  s  ■  Source(b,5,2) (20)+Alg.  4.3-1 

(63)  A  there  is  a  token  on  b  in  5*3  A  [c'  is  the  label  of  an  actor  in  P 

=»  in  no  firing  sequence  Acp  starting  in  5*3  is  <p  a  firing  of  cr] 

(59)+(2)+Def.  4.3-5 

(64)  •  [c'  is  the  label  of  an  actor  in  P  =»  b  is  an  input  arc  of  c* 

Alg.  4.3-1 

(65)  »  for  no  firing  sequence  dcp  starting  in  5*3  is  there  a  token  on  b 
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in  S’ SA  but  none  in  S'SAcp]  (63)+Def.  3. 3-9+2. 1-5 

(66)  a  [c’  is  not  the  label  of  an  actor  in  P  =»  b  is  a  program  output  arc 

Alg.  4.3-1 

(67)  »  b  is  not  an  input  arc  of  any  actor  Def.  2.1-1 

(68)  =»  for  no  firing  sequence  Acp  starting  in  S’ S  is  there  is  a  token  on 

b  in  S’ SA  but  none  in  S'SAcp]  Defs.  3. 3-9+2. 1-5 

(69)  =»  for  any  firing  sequence  Acp  starting  in  S’ 3,  there  is  a  token  on 

b  in  S’ SAcp  (63) 

(70)  *»  there  is  a  token  on  b  in  S>x  (61) 

(71)  A  [b  is  an  output  arc  of  actor  c  =»  for  every  firing  sequence  A 

starting  in  S’ S,  c  is  not  enabled  in  £*SA  Defs.  3. 3-6+2. 1-4 

(72)  A  there  is  no  p  such  that  cfQ(p)  in  S’ SA  Cor.  7.1-1 

(73)  =»  there  are  the  same  number  of  firings  of  c  in  S  as  in  52,  and  there 

are  the  same  number  of  firings  of  c  in  S  as  in  X]  (59)+(61) 

(74)  =»  Source(b,5,X)  *  Source (b, 5,52)  *  s  (39)+(62)+Lemma  7.1-3 

(75)  A  for  every  firing  sequence  Acp  starting  in  S’ S,  any  token  on  b  in 

5*SAcp  is  on  b  in  S’  SA  (71)+(72)+Defs.  3. 3-9+2. 1-5 

(76)  =»  there  is  a  token  of  value  v  on  b  in  S’ 3,  hence  5*X  (62)+(59)+(61) 

(77)  ^  f  is  in  r )(5,X)  (62)+(70)+(74)+Alg.  4.3-1 

(78)  For  any  actor  c,  there  is  a  firing  sequence  Acp  starting  in  5‘0  in 

which  cp  is  a  firing  of  c  »  since  N  and  are  infinite,  there  is 
an  equal  firing  sequence  A’cp'  such  that  the  multiset  of  pointer- 
node  pairs  in  the  Copy  firings  in  A'cp'  is  consistent  with  the 
heap  in  5’ *e'  Defs.  2. 2- 1+2. 4-5+5. 2-3 

(79)  *»  there  is  a  firing  sequence  A'cp’  starting  in  S'" 6f  in  which  cp'  is 

a  firing  of  c  (12)+Cor.  7.1-2+Def.  2.4-5 
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(80)  Let  Ex(d,k)  be  the  target  of  h.  d/(St-DL  =»  d  «■  (c',n)  where  c'  is 

either  the  label  of  an  actor  in  P  or  "OD",  there  is  an  arc  b 
uniquely  related  to  d  which  holds  a  token  in  S' •&',  and  T(h)  is 
(s,Dst(Ex(d,0) ,1) )  where  s  -  Source (b ,s' ,2*)  (43)+Alg.  4.3-1 

(81)  A  there  is  a  token  on  b  in  5' *0'  A  [c'  is  the  label  of  an  actor  in 

P  =»  in  no  firing  sequence  Atp  starting  in  S'  “O'  is  <p  a  firing  of  c) 

(6)+(7)+Def.  4.3-5 

(82)  =»  there  is  a  token  on  b  in  5*0  (12)+Defs.  7. 1-2+3. 4-1 

(83)  A  [c'  is  the  label  of  an  actor  =»  there  is  no  firing  sequence  A<p 

starting  in  S’Q  in  which  <p  is  a  firing  of  c']  (78)+(79) 

(84)  =*[c'  is  the  label  of  an  actor  »  b  is  an  input  arc  of  c' 

(80)+Alg.  4.3-1 

(85)  =»  for  no  firing  sequence  A(p  starting  in  S' ‘O'  (S’Q)  is  there  a 

token  on  b  in  S'' 8' A  (£*0A)  but  none  in  S''Q'kp  (S*8A<p)] 

(81)+(83)+Def s .  3. 3-9+2. 1-5 

(86)  A  [c'  is  not  the  label  of  an  actor  =»  b  is  a  program  output  arc 

(80)+Alg.  4.3-1 

(87)  =»  b  is  not  an  input  arc  of  any  actor  Def.  2.1-1 

(88)  *»  for  no  firing  sequence  A<p  starting  in  S'"Q'  (S’Q)  is  there  a 

token  on  b  in  S''Q'&  (5*8A)  but  none  in  S' 'Q' A<p  (5*8A«p)] 

Defs.  3. 3-9+2. 1-5 

(89)  =»  for  every  firing  sequence  Aq>  starting  in  S'*0’  (5*8),  there  is 

a  token  on  b  in  S'^O'Acp  (S’8A(p)  (81)+(82) 

(90)  »  there  is  a  token  on  b  in  S'X  (20) 

(91)  A  [b  is  an  output  arc  of  actor  c  =>  for  no  firing  sequence  A  starting 

in  S' *0'  (S’Q)  is  c  enabled  in  S''Q' A  (S*0A)  Defs.  3. 3-6+2. 1-4 
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(92)  =>  there  are  the  same  number  of  firings  of  c  in  6'  as  In  a'  and  the 


same  number  of  firings  of  c  in  0  as  in  X 

(93)  »  there  are  the  same  number  of  firings  of  c  in  X  as  in  2'] 


(7)+(20) 


(ll)+Def.  2.4-5 


(94)  =»  Source(b,S,X)  ■  SourceO^.^'  ,8')  -  s 


(10)+(20)+(6)+(80)+(90)+Lemma  7.1-3 

(95)  =»  there  is  an  entry  in  t}(S,X)  with  transfer  (s,Dst(Ex(d,0)  ,1))  , 


which  is  T(h) 


(20)+(90)+(89)+Alg.  4.3-1 


(96)  Let  h  be  the  entry  in  r^S.X)  such  that  T(h)  =  T(h) .  Let  6  be  the 

sequence  of  entries  derived  by  striking  every  entry  in  ag,  plus  h, 
from  r|(S,X) .  Then  aghfi  is  a  permutation  of  ^(S.X) ,  and  for  any 
two  entries  f^  and  f?  in  6,  f^  follows  f2  in  6  iff  f1  follows  f2 


in  -n(S,X) 


(42)+(62)+(77)+(44)+(58)+(80)+(95)+Def.  4.2-6 


(97)  Let  m  be  the  length  of  $(agh)  •  <i>(agh)  is  $(a)  followed  by  zero. 


one,  or  two  firings 


Def.  4.3-4 


(98)  <Kagh)  ■  3>(a)  =»  the  reduction  of  0  is  #(agh)  and  0  is  a  prefix 

of  X  (3)+(20) 

(99)  $(agh)  -  $(a)cpa  =»  one  of  g  and  h  is  an  initiating  entry  and  [g 

Initiates  an  execution  Ex(d",k")  =»  q>  is  a  firing  of  d"  Def.  4.3-4 

a 


(100)  A  is  a  firing  of  d"] 


(17)+(18) 


(101)  A  [h  initiates  an  execution  Ex(d’,k')  in  agh  =>  g  does  not  initiate 


an  execution  in  ag  and  <pfl  is  a  firing  of  d' 


Defs.  4. 2-6+4. 3-4 


(102)  =>  <p  is  a  firing  of  d']  (17)+(18) 

(103)  A  the  reduction  of  0<p^  is  one  firing  longer  than  the  reduction  of 

0,  which  is  $(a) ,  so  it  is  $(a)u>  where  a,  is  a  firing  of  the 

&  a 


same  actor  as 


(3)+(96)+Defs .  2. 4-5+4. 3-4 


-.Mb***'-'" 
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(104) 

(105) 

(106) 

(107) 

(108) 


(109) 

(110) 

(111) 


(112) 

(113) 

(114) 

(115) 

(116) 


»  the  reduction  of  0(p^  Is  $(ogh)  and  0<p^  Is  a  prefix  of  X  (99)+(20) 
’Nagh)  ■  <K a) <Pa(p^  =*  both  of  g  and  h  are  Initiating  entries 

Def.  4.3-4 

=>  g  initiates  an  execution  Ex(d",k")  in  agh  and  g  initiates  an 
execution  Ex(d",k")  in  ag  (96)+Def.  4.3-4 

»  <Pa  is  a  firing  of  d",  as  is  <p^,  and  is  a  firing  of  d',  as  is 
<p0  (17)+(18)+Def.  4.3-4 


A  the  reduction  of  0<p  <pj  Is  tw0  citings  longer  than  the  reduction 
of  0,  which  is  $(a),  so  it  is  4>(a)tp  ip.  where  <p  is  a  firing  of  the 

AD  A 

same  actor  as  cp^  and  is  a  firing  of  the  same  actor  as  cp ^ 

(3)+(96)+Defs.  2. 4-5+4. 3-4 


=»  the  reduction  of  is  $(agh)  and  ©cp^^  is  a  prefix  of  X 

(105)+(20) 

<Kagh)  is  the  reduction  of  the  prefix  A  of  X  whose  length  equals 
that  of  f>(agh) ,  i.e.,  m  (97)+(98)+(99)+(104)+(105)+(109) 

Let  yf  be  any  prefix  of  agh6  and  let  e  be  the  execution  of  which 
f  is  an  output  entry.  f€ag  =»  there  is  a  prefix  yf  of  |3  in  which 
f  is  an  output  entry  of  e  (2) 

a  e  is  initiated  in  y  (19)+Def.  4.2-7 

f  ■  h  =»  a  is  a  prefix  of  y  and  h  is  an  output  entry  of  e  *»  there 
are  at  least  as  many  input  entries  to  e  in  y  as  in  a(96)+Def.  4.2-5 
A  e  is  initiated  in  a  (6)+(19)+Def .  4.2-7 

•  e  is  Initiated  in  y  Def.  4.2-6 

r)(5,X)  is  causal  wrt  Int  and  is  a  computation  for  Int 


(117)  f  is  in  T}(S,X) 


(1)+Lemma  4.3-1 
(lll)+(96) 
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(118)  Let  e  *  Ex(d,k).  In(/(d))  Input  entries  to  e  precede  f  in  r)(s,x) 

(lll)+(116)+(117)+(4)+Defs.  4. 2-7+4. 2-6 

(119)  There  are  In(/(d))  input  entries  to  e  in  agh6  (118)+-(96) 

(120)  f€6  =»  no  entry  follows  f  in  aghs  unless  it  follows  f  in  T}(S,X)  (96) 

(121)  =»  In(/(d))  input  entries  to  e  precede  f  in  agh§  (119)+(118) 

(122)  =»  e  is  initiated  in  y  (lll)+Def .  4.2-6 

(123)  e  is  initiated  in  y  (111)+(112)+(113)+-(115)+(120)+(122) 

(124)  agh6  is  a  causal  permutation  of  r)(S,X)  (lll)+(123)+(96)+Def .  4.2-7 

(125)  Let  Z  be  the  set  of  executions  {Ex(d,k) |  d€St-DL  and  Ex(d,k)  is 
initiated  in  T)(S,X) }.  Let  Y  be  the  set  {Ex(d,k) |  d€St-DL  and 
Ex(d,k)  is  initiated  in  rjCS.A)  }.  Since  riCS.A)  is  a  prefix  of 
ti(S,X) ,  every  initiating  entry  to  an  execution  in  Z-Y  is  preceded 
in  t](S,X)  by  the  initiating  entries  to  all  executions  in  Y 

(110)+Alg.  4.3-1 

(126)  For  any  d*St-DL,  In(/(d))  >  0  Defs.  4 . 3-2+4 . 3-1+2 . 1-2 

(127)  For  any  e  ■  Ex(d,k),  eCY  iff  there  are  In(/(d))>  0  input  entries 

to  e  in  rj(S,A)  and  d€St-DL  (125)+-(126)-H)ef .  4.2-6 

(128)  iff  there  are  at  least  k  firings  of  d  in  A  and  d€St-DL  Lemma  4.3-1 

(129)  iff  e  is  initiated  in  agh  (l)+(4)+(20)+(124)+(110)+Thm.  4.3-2 

(130)  iffatleast  In(/(d))  input  entries  to  e  are  deleted  from  T](S,X) 

to  get  6  (96) 

(131)  Z  is  also  the  set  {Ex(d,k)|  dCSt-DL  and  Ex(d,k)  is  initiated  in 

agh6}  (125)+(124)+Def.  4.2-6 

(132)  The  number  of  initiating  entries  in  agh  to  executions  in  Z  equals 

the  length  of  4>(agh)  which  is  m  (131)+(110)+0ef .  4.3-4 

(133)  For  n  >  m,  let  e  be  the  n^  execution  from  Z  to  initiate  in  agh6. 
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Then  f,  the  Initiating  entry  of  e  in  agh6,  is  in  6  (132) 

* 

(134)  e  is  in  Z-Y  \  (133)+(129)+(127) 

(135)  Let  e'  *  Ex(d',k')  be  any  other  execution  in  Z  and  let  f'  be  its 

t 

initiating  entry  in  agh5.  Then  f'  precedes  f  in  agh6  iff  f'  is 
in  agh,  or  f'  precedes  f  in  t)(S,X)  and  fewer  than  In(/(d'))  input 
entries  to  e’  are  deleted  from  T)(S,X)  to  get  6  (96)+Def .  4.2-6 

(136)  iff  e'  is  in  Y,  or  f*  precedes  f  in  T)(S,X)  and  e*/£ Y 

(127)+(129)+(130) 

(137)  iff  e'  is  in  Y  and  the  initiating  entry  to  e'  precedes  f  in  t](S,X) 
or  e'i(Y  and  f'  precedes  f  in  r\(S,X)  iff  the  initiating  entry  to 

e'  precedes  f  in  ^(S.X)  (134)+(125) 

(138)  For  n  >  m,  the  n**1  execution  from  Z  initiated  in  agh6  is  the  nth 

execution  from  Z  initiated  in  ^(S.X)  (135)+(137) 

(139)  $0n(S,X))  is  the  reduction  of  X  and  r|(5,X)  is  in  J 

(20)+Lemma  4.3-3 

(140)  For  any  n  >  m,  the  n**1  firing  in  the  reduction  of  X  is  a  firing 

of  d  iff  the  n**1  firing  in  4>(r)(5,X))  is  a  firing  p f  d  (139) 

(141)  iff  the  n*"*1  execution  from  Z  initiated  in  ri(S,X)  is  an  execution 

of  d  (125)+Def .  4.3-4 

(142)  iff  the  n^  execution  from  Z  initiated  in  agh6  is  an  execution  of 

d  (138) 

(143)  iff  the  nC^  firing  in  $(agh6)  is  a  firing  of  d  (125)+Def.  4.3-4 

(144)  For  any  n  S  m,  the  n**1  firing  in  the  reduction  of  X  is  the  n**1 

firing  in  the  reduction  of  A  (110)+Def.  2.4-5 

(145)  which  is  the  nC^  firing  in  $(agh)  (110) 

(146)  which  is  the  n**1  firing  in  <f>(agh6) 


Def.  4.3-4 


-413- 


(147)  $(agh6)  is  the  reduction  of  X  (140)+(143)+(144)+(146)+Def .  2.4-5 

(148)  Let  yf  be  any  prefix  of  agh6,  let  A  be  the  prefix  of  X  whose 

reduction  is  <J>(y),  and  let  the  destination  in  T(f)  be  Dst(e,j) 
where  e  ■  Ex(d,o)  (147)+Lemma  7.2-2 

(149)  f^ag  *»  there  is  a  prefix  yi  of  ^  such  that,  for  A'  the  prefix 

of  Q  whose  reduction  is  $(y),  A  equals  A*  (2)+Def.  2.4-5 

(150)  =»  5* A  equals  S- A’  (39)+Thm.  7.1-2 

(151)  All  In(/(d))  input  entries  to  e  are  consecutive  in  r)(5,X) 

(148)+Alg.  4.3-1 

(152)  All  input  entries  to  e  which  are  left  in  5  are  consecutive 

(15D-K96) 

(153)  f€6  »  there  is  a  prefix  y'f  of  r)(S,X)€J  (96)+(139) 

s  >  ^ 

(154)  =»  for  any  execution  e'  f  e  from  Z,  the  initiating  entry  f'  to  e' 

precedes  f  in  yf  (i.e.,  is  in  y)  iff  it  precedes  e's  initiating 
entry  in  agh6  (148)+(152) 

(155)  iff  the  initiating  entry  to  ef  precedes  the  Initiating  entry  to 

e  in  ^(S.X)  (133)+(135)+(137) 

(156)  iff  the  initiating  entry  to  e'  precedes  f  in  r)(S,X)  (i.e.,  is  in 

y')  (151)+(153) 

(157)  =»  3n:  |*(y’) |  »  |$(y) |  -  n  (125)+Def.  4.3-4 

(158)  =»  “Hy')  is  the  length-n  prefix  of  #(r|(5,X)),  which  is  the 

reduction  of  X  (139)+(153)+Def .  4.3-4 

(159)  A  $(y)  is  the  length-n  prefix  of  $>(agh6),  which  is  the  reduction 

of  X  (147)+(148)+Def .  4.3-4 

(160)  =»  for  A'  the  prefix  of  X  whose  reduction  is  $(y’),  A*  equals  A 


(148)+Def .  2.4-5 
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(161)  «  S’  A'  equals  S’  A  (39)+Thm.  7.1-2 

(162)  Ex(d,m)  is  not  initiated  in  y  (148)+Def.  4.2-6 

(163)  f*h=»y«ag=»if  g  is  the  initiating  entry  in  agh  of  an  execution 
d"€St-DL,  then  d"  *  d,  so  $(y)  ■  $(a)<p,  where  (p  is  not  a  firing 

of  d,  otherwise  $(y)  *  $(a)  (162)+Def.  4.3-4 

(164)  =»  there  is  a  prefix  ah  of  p'€J  ,  such  that  T(f)  «  T(h)  «  T(h) 
and  4>(y)  equals  either  $(a)  or  4>(a) <p  where  cp  is  not  a  firing  of  d 

(96)+Def .  4.3-4 

(165)  =»  letting  A'  be  the  prefix  of  S2'  whose  reduction  is  $(a), 
equals  either  A  or  9  where  A  ■  0<p  and  <p  is  not  a  firing  of  d 

(148)+Def .  2.4-5 

(166)  =»  5'*A'  equals  either  S’  A  or  S’  6  where  A  ■  ©cp  and  cp  is  not  a 

firing  of  d  (10)+Thm.  7.1-2 

(167)  agh5  is  in  J  (124)+(147)+(148)+(149)+(2)+(150)+(153)+(20)+(160)+ 

(161)+(163)+(164)+(6)+(165)+(166)+Lennna  7 . 2-8 

(168)  agh  is  in  J  (167)+(2)+(20)+(l)+Def .  4.3-3 

(169)  T(h)  -  T(h)  -  t  is  in  ETJ(ag)  (168)+(96)-H)ef .  6.2-2 

(170)  (Int,J)  satisfies  the  Persistence  Axiom  (l)+(2)+(5)+(169)+Ax.  6.2-5 

A 


7.3  Determinacy  and  Functionality 

The  preceding  two  sections  have  proven  that  EEd^.M)  is  an  S-S  model 
and  that  every  expansion  from  it  satisfies  the  Determinacy  Axioms.  By 
Theorem  6.4-1,  then,  every  expansion  is  determinate.  This  section 
contains  the  final  and  most  complex  proof  of  the  thesis,  that  if  the 
expansion  (lnt,J)  of  an  program  P  is  determinate,  then  P  running  on 
the  modified  Interpreter  is  functional. 


P  is  functional  iff  for  any  two  equal  initial  modified  states  and 

^2  for  P,  and  any  two  halted  firing  sequences  2^  and  starting  in 

and  S2*  ^2^2  equals  S^’2^.  There  is  an  equivalence  class  E  of  initial 

states  which  contains  both  and  S2 .  so  co^  ■  ^(5^,2^)  and  ^ 

are  both  in  J£  (Lemma  4.3-3).  Denoting  either  of  and  by  a>,  if  a>  is 

not  halted  in  J  ,  then  it  is  a  proper  prefix  of  some  0€J„,  ,  where  s' 

equals  S  and  2’  is  a  halted  firing  sequence  starting  in  s'.  Since  <f>(p) 

is  the  reduction  of  2' ,  $(<o)  is  the  reduction  of  a  prefix  9  of  2' 

(Lemma  7.2-4).  But  #(co)  is  also  the  reduction  of  2  (Lemma  4.3-3),  so  0 

equals  2.  Therefore,  S' ’0  equals  S' 2,  and  since  no  actor  is  enabled  in 

S'Si,  no  actor  is  enabled  in  S''Q,  so  2'  *  0,  which  is -2.  The  number  of 

th 

tokens  which  appear  at  the  n  firing  in  2  equals  the  number  which  appear 

at  the  nth  firing  in  2'.  Since  co  already  contains  an  entry  for  each 

token  which  appears,  p  can  have  no  more  entries.  I.e.,  00  cannot  be  a 

proper  prefix  of  any  computation  in  J_,  so  it  is  halted  in  J  (Lemma  7.3-1 

£  £ 

below).  Therefore,  co^  and  a ^  are  two  halted  computations  in  the  same 
job,  and  so  are  equivalent  computations. 

By  construction  (Algorithm  4.3-1),  there  is  a  token  of  value  v, 

(v,R),  or  (v,W)  on  an  arc  b  in  £^*2^  (<£>2*^2^  there  is  an  entry  in 
(<>>2)  with  value  v  whose  transfer  has  a  destination  given  by 

Dst(Ex((d, j) ,0) ,1)  if  b  is  the  number-j  input  arc  of  the 
actor  labelled  d, 

Dst(Ex(("0D", j) ,0) ,1)  if  b  is  the  number-j  program  output  arc 
By  equivalence,  there  is  a  one-to-one  pointer  correspondence  F  such  that 
there  is  an  entry  f  in  iff  there  is  an  entry  g  in  coj  with  the  same 
transfer,  and  if  V(f)  is  not  a  pointer,  V(g)  »  V(f) ,  otherwise 
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V(g)  •  F(V(f)).  Therefore,  there  is  a  token  on  b  in  iff  there  is 

one  in  52  ‘ £  > »  and  either  their  values  are  the  sane  non-pointer,  or  one  is 
(p,R)  or  (p,W)  and  the  other  is  (F(p) ,R)  or  (F(p) ,tf) . 

For  any  actor  d,  the  number  of  firings  of  d  in  2^  equals  the  number 
of  executions  of  d  which  have  input  entries  in  ^  which  equals  the 
number  of  executions  of  d  which  have  input  entries  in  co2  which  equals  the 
number  of  firings  of  d  in  If  d  is  a  gate  and  its  control  input  arc 

is  its  number- j  input  arc,  then  the  control  input  to  the  firing  of  d 
in  2^  (&2)  equals  the  value  of  Ent(Ex(d,k) ,  j)  in  (a^)  »  which  is  not  a 
pointer;  hence  the  k  firings  of  d  in  and  S?2  have  the  same  control 
input.  The  firing  of  d  in  (£>2)  removes  a  token  from  an  output  arc 
of  d*  and  is  preceded  by  exactly  k*  firings  of  d’  iff  there  is  an  entry 
in  («2)  with  transfer  (Src(Ex(d',k') ,i) ,Dst(Ex(d,k) ,j))  for  some  i  and 
j;  therefore,  the  kth  firing  of  d  in  8^  removes  a  token  from  an  output 
arc  of  d’  and  is  preceded  by  k’  firings  of  dr  iff  the  k*"*1  firing  of  d  in 
&2  removes  a  token  from  an  output  arc  of  d’  and  is  preceded  by  k*  firings 
of  d’.  From  these  three  facts,  for  each  arc  b  which  holds  pointer-valued 
tokens  in  and  either  both  are  read  pointers  or  both  are 

write  pointers  (Lemma  7.2-5).  Therefore,  if  b  holds  a  token  of  value 
(p,R)  ((p,W))  in  it  holds  a  token  of  value  (F(p),R)  ((F(p),W))  in 

The  major  task  left  is  to  prove  that,  letting  the  heap  in 
1*1,2,  be  ■  (N|,n’,SM’),  there  is  a  one-to-one  mapping  I:  -*•  N2 

such  that,  for  every  value  <p,R)  or  (p,W)  on  an  arc  in 
U'.n^(F(p))  £  fl*.n^(p).  Letting  the  heap  in  S±  be  U±  -  (N^.SM^, 
there  is  a  one-to-one  mapping  1^ s  -*■  N2  such  that,  for  every  pointer  p 
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on  an  arc  In  there  is  a  pointer  p'  on  that  arc  in  Sj,  *nd 
Ii 

U2.n2(p')  *  l^.n^p).  I  is  built  on  Ij^  thusly: 

(  l.(n>  if  n€N. 

I(n)  =  J  1  1 

(  n2(F(p))  if  n^  and  F(p)  is  defined 

where  p  is  such  that  TT^ Cp)  ”  n.  In  this  way,  n2(F(p))  -  I(n|(p)),  at 

least  if  p  is  not  in  dom  n^. 

Ideally,  would  be  shown  to  be  the  heap  determined  by  co^  from  U^; 
then  the  equality  of  reaches  in  the  equivalent  computations  and  oc^ 
would  imply  that  each  of  and  U2  had  been  altered  in  the  same  way. 
Unfortunately,  the  heap  determined  by  a  computation  is  defined  only  for 
EE(Lbs,S).  Therefore,  it  is  necessary  to  work  with  both  the  standard 
and  the  modified  interpreters.  Two  useful  results  relating  the  two 
interpreters  have  already  been  derived:  (1)  For  the  initial  standard 
state  corresponding  to  S^,  so  in  particular,  the  heap  in 

5^ *&i  is  also  Uj .  (2)  There  is  a  halted  firing  sequence  2|  starting  In 

Sj  which  has  S2^  as  a  prefix  such  that  p^  ■  Tl(<S'^,ffip  is  SOE-Inclusive 
of  co^. 

The  canonical  computation  ■  ^(5^,2^)  is  a  prefix  of  p^.  Any 
structure  operation  execution  e  ■  Ex(d,k)  is  initiated  in  iff  there 
are  k  firings  of  d  in  2^  iff’  e  is  initiated  in  a^.  For  every  j,  if  there 
is  any  entry  Ent(e,j)  in  oo^,  there  is  one  with  the  same  value  in  p^,  by 
S0E-inclu8ion;  since  e  is  initiated  in  a^,  that  entry  must  be  in  a^. 
Similarly,  if  e  is  initiated  in  a^,  then  for  any  Assign,  Update,  or  Delete 
execution  A,  e€R(A)  in  iff  e€R(A)  in  p^  iff  e€R(A)  in  co^,  (Lemma  5.2-6). 
Therefore,  by  equivalence  of  co^  and  a>2>  e  has  the  same  non-pointer  inputs 
in  and  a2,  if  it  has  a  pointer  input  p  in  a^,  that  pointer  input  in  a2 
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is  F(p) ,  and  e€R(A)  in  iff  e€R(A)  in  a 2- 

For  NAR^  the  node  activation  record  derived  from  2^  and  a^,  is 
the  heap  determined  by  from  and  NAR^.  For  any  particular  pointer  p 
and  node  n,  (p,n)€n|-n^  iff  (p,n)€ran  NAR^  iff  there  is  a  Copy  execution 
C  -  Ex(d,k)  such  that  NAR^C)  *  (p,n),  so  that  the  kth  firing  of  d  in 
is  (d,(p,n))  iff  there  is  an  entry  in  with  value  p  whose  transfer  has 
source  Src(C,j)  for  some  j  (Lemma  7.1-2).  Since  Src(C,j)  has  value  p  in 
iff  it  has  value  F(p)  in  p€dom  n|  -  dom  iff  F(p)(dom  17?  -  dom  IJj* 
Furthermore,  letting  CC^  be  the  Creating-Copy  function  corresponding  to 
NAR^,  CCl(p)  is  defined  and  equal  to  C  iff  3n:  NAR^C)  =  (p,n)  iff 
Src(C,j)  has  value  p  in  co^  iff  Src(C,j)  has  value  F(p)  in  co2  iff  3n' : 
NAR2(C)  »  (F(p),n')  iff  CC2(F(p))  is  defined  and  equal  to  C. 

For  any  pointer  p  which  is  the  value  of  a  source  s  in  p  is 

the  value  of  s  in  p^  (by  SOE-inclusion)  and  F(p)  is  the  value  of  s  in  a>2 
(by  equivalence) ;  hence  p  is  the  value  of  s  in  (3^  and  F(p)  is  the  value 
of  s  in  ^2*  If  a  *  Src(S,l)  for  a  Select  execution  S,  S  is  in  no  reach 
in  p^  iff  S  is  in  no  reach  in  (SOE-inclusion)  iff  S  is  in  no  reach  in 

a>2  (equivalence)  iff  S  is  in  no  reach  in  p2-  These  are  sufficient  to 
prove  that  (p,P1)p(F(p) ,P2) ,  whence  p€dom  17^  =»  F(p)€dom  U2  » 
n2(F(p))  *  I1(ni(p)),  by  Theorem  5.3-2.  Thus,  n^Wp))  "  I(T7^(p)) , 
whether  or  not  p  is  in  dom  11^.  Since  1^  is  one-to-one,  and  TT^,  F,  and 
n2  are  all  one-to-one,  I  is  one-to-one. 

Next  it  is  proven  that  for  any  Assign,  Update,  or  Delete  execution  A, 

a 

and  any  pointer  p,  duration  D(A)  extends  to  the  end  of  iff  D(A) 
extends  to  the  end  of  .  EntQ  (A,l)  is  in  iff  it  has  value  p  iff 
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Ent  (A,l)  has  value  F(p)  iff  Ent  (A,l)  is  in  H_?  ..  Assuming  for 

“2  “2  F(p)  a 

simplicity  that  A  is  an  Assign  execution,  D(A)  extends  to  the  end  of  H  * 

iff  either  Ent(A,l)  is  the  last  input  entry  to  an  Assign  execution  in 

or  there  is  no  such  entry  and  CC^(p)  is  defined  and  is  in  reach  R(A) 

in  a,.  Ent(A,l)  is  the  last  input  entry  to  an  Assign  execution  in  H  1 
1  P 

a-j 

but  not  in  j  »  there  is  an  A'  such  that  Ent(A',l)  follows  Ent(A,l)  in 

=»  A'(R(A)  in  Oj  »  A'  (R(A)  in  «•  since  Ent(A',l)  is  in  the  saiae 

a. 

access  historv,  it  must  follow  Ent(A.l)  in  H  x,  a  contradiction.  There 

P 

a-, 

is  no  input  entry  to  an  Assign  execution  in  H  J  ,  and  CC^(p)  is  defined 
and  is  in  R(A)  in  =»  there  is  no  Assign  input  entry  in  ^  and 
CC2(F(p))  is  defined  and  equal  to  CC^Cp)  =»  CC2(F(p)) €R(A)  in  a2»  Similar 
reasoning  applies  if  A  is  an  Update  or  Delete  execution. 

For  any  (p^,a^)  the  content  of  n^  in  the  heap  determined  by 
from  and  NAR^  (which  is  U^)  depends  on  the  inputs  to  executions  whose 

a. 

durations  extend  to  the  end  of  H  1  and  on  the  content  in  U.  of  a  certain 

pi  1 

node  m^.  The  node  m^,  along  with  the  pointer  q^  to  it,  are  given  by:  if 
(Pj,ni)€TT^t  then  (q^,mp  ■  (p^.n^;  otherwise,  q^  is  the  unique  pointer 
in  dom  nt  such  that  p^  *  VCEnt^  (CCpp),!))  is  dynamically  descended  from 
q^  in  a^.  The  set  CP  containing  each  pointer  p  such  that  p  is  the  value 
of  an  input  entry  to  a  structure  operation  execution  in  or  CC^(p)  is 
defined  is  the  set  of  pointers  to  nodes  which  are  either  accessed  or 
created  by  firings  in  £>^.  If  p^  is  not  in  CP,  then  n^  is  not  created  in 
Sj,  so  (p^»np€n^>  and  F(p^)  is  not  the  input  to  a  structure  operation 
execution  in  a2  and  CC2(F(p))  is  not  defined,  so  letting  p2  ■  F(p^), 
^p2*n2^^2’  Since  there  is  then  no  input  entry  to  a  structure  operation 


"-t 
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<Xt 

execution  in  H  1  and  CC. (p.)  is  not  defined,  no  durations  extend  to  the 

pi  11 

a. 

end  of  H  l,  so  SH^n^)  -  Since  (p^n^fl^,  m^  *  n^,  so 

SM'Cn^  -  SM1(n1). 

For  any  p^CP  and  p2  m  F(p^),  *8  value  of  an  input  entry  to  a 

structure  operation  execution  =  p„  is  the  value  of  a  source  in  =» 

(p1,p1)p(p2,P2) .  Then  (p^n^er^  =*  (p2,n2>€n2  =»  “  Pt  =* 

(qi.Pl)p(q2»P2^  *  CC1*P1^  is  defined  =»  <p1  .n^) «  (p2,n2)/?ri2  =» 

DD^  (qi>P’)  and  p^  is  the  value  of  an  input  entry  to  a  structure  operation 

execution  in  a±  (namely  CCi(p±))  =»  DD^  (q^p^)  and  (p|,P1)p(p2,p2)  =» 

(q1,p1)p(q2,p2)  (by  Theorem  5.3-2).  Therefore,  p^CP  =»  (q1,P1)p(q2,p2> . 

Recalling  the  significance  of  the  p  relation,  q^  and  point  to  nodes 

in  the  initial  heaps  and  U2  which  have  "equal"  contents;  l.e., 

SM2(m2)  «  I1(SM1(m1)),  so  SM2(m2)  -  KSMjfa^). 

For  any  p^fCP,  the  same  executions'  durations  extend  to  the  end  of 
a  a 

H  1  and  H  If  no  Assign  execution's  duration  extends  to  the  ends  of 
P1  p2 

those  access  histories,  then  the  value  in  SM|(n^)  is  the  value  in  SM^(m^) 

which  is  the  value  in  which  is  the  value  in  SM2(n2)  .  If  there  is 

such  an  Assign  execution  A,  then  the  value  in  SM!(n,)  is  V(Ent  (A, 2)) 

ll 

which  is  V(Ent  (A, 2))  which  is  the  value  in  SMl(n_).  Therefore,  SM'(n,) 
a2  £  £  11 

and  SM2(n2>  have  the  same  value.  Similarly,  there  is  an  ordered  pair 

with  selector  s  in  it  in  SM|(n^)  iff  there  is  one  in  SM2(n2>.  If  no 

a.  a_ 

Update  execution's  duration  extends  to  the  ends  of  H  1  and  H  *,  then  for 

P1  p2 

any  node  n',  (s,n')  fSMj^n^)  iff  (s,n')  fSM^On^)  iff  (s.I^n'))  €SM2(m2)  iff 
(s,I(n')) fSM2(n2) .  If  Update  execution  U's  duration  extends  to  the  ends 
of  those  access  histories,  then  for  any  pointer  r,  (s,nj(r)) €SM|(n^)  iff 
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r  -  V(Ent  (U,3))  Iff  F(r)  -  V(Ent  (U,3))  iff  (s,n!(F(r))) €SM!(n_) . 

dj  2  t  2. 

Therefore,  since  n2(F(r))  *I(n^(r)),  p^CP  =»  SM^(n2>  -  KSMJCn^). 

Finally,  for  any  pointer  p  such  that  (p,R)  or  (p,W)  is  the  value  of 
a  token  on  any  arc  b  in  5^*2^,  b  holds  a  token  of  value  (F(p),R)  or 

(F(p),W)  in  S2'S 22»  and  P  is  the  value  of  an  entry  in  ^  =  riCs^,^),  so 

n2(F(p))  *  I(n|(p))«  For  any  pointer  r  such  that  n  «  n|(r)  equals  or  is 
reachable  from  n|(p)  in  U|,  rfCP  =»  SM2(n2(F(r)))  =  I(SMj(n|(r)))  =» 
SM2(I(n))  *  I(SM^(n)).  If  rj£CP  and  for  no  node  n*  on  the  path  from  n^(p) 
to  n  is  the  pointer  to  n1  in  CP,  then  none  of  those  nodes  is  accessed  or 
created  in  the  computation,  so  each  of  them  has  the  same  contents  in 
and  U^.  Since  n^(p)  is  not  created,  p£dom  n^,  and  F(p)€domIT2;  hence, 
there  must  be  a  pointer  q  on  an  arc  b  in  5^  such  that  n^(p)  ■  FT^ (p)  equals 
or  is  reachable  from  n^(q)  in  (Theorem  5.3-2).  Therefore,  n  equals  or 
is  reachable  fromn^(q)  in  U^,  so  SM2(I^(n))  =  I^SM^n)).  Since 
SM^(n)  -  SM1(n),  SM’(I(n))  =  I(SMj(n)). 

If  r/{CP  but  there  are  nodes  on  the  path  from  n|(p)  to  n  the  pointers 

to  which  are  in  CP,  there  is  a  last  such  node  n';  i.e.,  the  pointer  p'  to 

n'  is  in  CP,  but  the  pointers  to  all  nodes  after  n’  on  the  path  to  n  are 

not  in  CP.  Letting  n"  be  the  node  immediately  following  n’  on  that  path, 

there  is  a  selector  s  such  that  (s,n"HSM^(n')  .  If  p"  is  such  that 

IT|(p")  =  n",  there  is  an  Update  execution  U  with  selector  input  s  such 

that  D(U)  extends  to  the  end  of  H  j  »  p"  ■  V(Ent  (U,3))  =»  p"€CP.  Since 

P  d^ 

p"/CP,  there  is  a  pointer  q€dom  such  that  (s,n")€SM^(n^(q))  .  None  of 
the  nodes  on  the  path  from  n"  to  n  is  accessed,  so  their  contents  are 
each  the  same  in  and  U^.  Since  n  is  reachable  from  n"  in  U^,  it  is 
reachable  from  n",  hence  fromlT^(q),  in  U^.  As  before,  there  is  a 
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pointer  q'  on  an  arc  b  in  such  that  n^(q)  equals  or  is  reachable  from 
n^(q ' )  in  U^,  so  n  is  reachable  from  n^(q')  in  U^,  sc 
SM^(I(n))  -  l(SM^(n)). 

In  any  case,  then,  for  any  node  n  equal  to  or  reachable  from  I7|(p) 
for  any  p  on  an  arc  b  in  SM^(I(n))  -  I(SM^(n)).  Since  b  holds  a 

pointer  of  value  F(p)  in  S2’®2  and  n2(p(p))  *  I(n|(p)), 

U^.n^FCp))  -  U’.!7^(p);  i.e.,  Match  ((b,,51*Q1) ,  I,  (b,S2’&2)).  Because 
and  ^2  ^2  are  mod^ied  states,  completing  the  proof  that  they  are 
equal  requires  establishing  the  following  condition:  Letting  the  pool 
component  in  be  Q^,  for  every  label  S  of  a  Select  operator  in  P, 

3pi:  SCQ^Pj)  «  3p2:  S€Q2(p2)  U^.n^(p2)  -  U^.fl^p^. 

For  any  Select  operator  S,  there  are  the  same  number  k  of  firings  of 

S  in  Gj  and  &2,  and  thus  there  is  a  prefix  0^  of  2i  in  which  ip±  is  the 
til 

k  firing  of  S.  For  any  pointer  p±,  SfQ^p^  in  iff  S  was  placed 

in  that  pool  at  the  last  firing  and  remains  there  through  to  the  end 
of  2^  iff  there  are  no  tokens  on  S's  number-1  output  arcs  at  any  point 
after  6^  iff  there  is  no  entry  in  co^  with  source  Src(Ex(S,k) ,1) .  There 
is  no  entry  with  that  source  in  iff  there  is  no  such  entry  in  «2  (by 
equivalence).  Therefore,  Bpj*.  S^Q^pj)  in  iff  3p2:  S€Q2(p2)  in 

52*22 • 

It  has  already  been  shown  that  if  p^  appears  as  the  value  of  an  entry 
in  coj,  then  U2.n2(P2)  ■  U^.n^(p^).  If  not,  all  that  can  be  said  is  that 
nJ<Pi>  is  the  s^-successor  of  IT^(pp  in  S^'0^,  where  pj  and  s^  are  the 
pointer  and  selector  inputs  to  <p^.  Letting  6^  be  r|(5^.9^),  the  heap  in 
Sj*©i  (which  is  the  heap  in  5^*9^)  is  the  heap  determined  from  by  . 

If  there  is  any  Update  execution  whose  duration  extends  to  the  end  of 


V 
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6. 

H  t»  then  p  is  the  value  of  Ent  (U,3);  i.e.f  p  is  the  value  of  an  entry 
P1  1  °1  1 
in  co^.  Therefore,  there  is  no  Update  execution  U  whose  duration  extends 

6, 

to  the  end  of  H  f.  There  is  an  entry  f  ■»  Ent(Ex(S,k) ,1)  with  value  p' 

P^  1  i 

which  is  in  y ^  but  is  not  in  6^  =  tjCS'.G  ).  D(U)  extends  to 

6. 

the  end  of  H  }  iff  f  €D(U)  in  y  (Lemma  5.2-7)  iff  Ex(S,k)€R(U)  in  y  iff 

t  i  i 

Ex(S,k)€R(U)  in  a>^.  Ex(S,k)€R(U)  in  co^  iff  Ex(S,k)€R(U)  in  w2,  so  there 

6? 

is  no  Update  execution  whose  duration  extends  to  the  end  of  history 
Therefore,  there  is  a  pair  (q^.m^)  in  such  that  (s^.ITj^p^)) 
is  in  SM^(m^).  Since  =  V(Ent^  (Ex(S,k) ,2) ) ,  s^  ■  s2  by  equivalence. 

By  a  previous  argument,  SM2(m2)  *  I^SM^On^)),  so  n^Cpj)  =  ICIl^Cp^). 
Either  q^  =  p^  or  DD^  (q^,pp;  in  any  case,  q^  is  the  value  of  an  entry 
in  Since  n^(p^)  is  reachable  from  in  at  least  U^,  reasoning 


similar  to  that  given  earlier  for  any  node  n  equal  to  or  reachable  from 
n^Pi)  in  Ux  shows  that  SM2(I(n))  *  I(SM^(n)).  Thus 
U2-n2(p2)  -  U[.n^(Pl).  Since  3?1:  S€Q1(p1>  «  3p2:  S€Q2(p2)  - 
U^,.n^(p2)  =  Uj.n|(pj),  <?2*®2  ecluals  and  P  is  functional. 


Lemma  7.3-1  Let  S  be  any  initial  modified  state  for  an  Lgg  program  P, 
and  let  £>  be  any  halted  firing  sequence  starting  in  S.  Then  for  E  the 
equivalence  class  of  initial  states  containing  S,  r)(S,<2)  is  in  J£  and  is 
halted  therein. 

Proofs 

(1)  Let  a)  »  r)(i?,S2).  Then  «  is  in  J  Lemma  4.3-3 

S*Q 

(2)  a)  is  a  prefix  of  co,  and  ti€FS(S),  so  00  is  in  J 

E 

Prove  that  w  is  halted  in  J^,  by  contradiction.  Assume 


(1)+Def.  4.3-3 
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(3)  (o  is  not  halted  in  J 

£< 

(4)  There  is  another  computation  a£J„  of  which  w  is  a  proper  prefix 

£ 

(3)+Def .  4.2-7 

(5)  a  is  a  prefix  of  some  p€Jc,  , ,  where  S’( E  and  S'  is  a  halted 

firing  sequence  starting  in  S'  (4)+Def.  4.3-3 

(6)  co  is  a  proper  prefix  of  (3,  which  is  a  permutation  of  r\(S',2') 

(4)+(5)+Def .  4.3-5 

(7)  There  is  a  prefix  8  of  $2'  whose  reduction  is  $(co)  (5)+(6)+Lemma  7.2-2 

(8)  4>(co)  is  the  reduction  of  $2  (1)+Lemma  4.3-3 

(9)  8  equals  2  (7)+(8)+Def.  2.4-5 

(10)  S'  equals  S  (5) 

(11)  Since  2  is  halted,  no  actor  is  enabled  in  S*2  Def .  2.3-1 

(12)  No  actor  is  enabled  in  S'"Q  (10)+(9)+(ll)+Cor .  7.1-2 

(13)  8  is  halted,  so  8  *  2',  so  2'  equals  2  (12)+(7)+(9)+Def .  2.3-1 

(14)  For  every  prefix  S'cp'  of  S'  in  which  tp'  is  the  firing  of  an 

actor  d,  there  is  a  prefix  Sep  of  2  in  which  <p  is  the  k**1  firing 
of  d  and  3  equals  S'  (13)+Def.  2.4-5 

(15)  S' 2  equals  s' 'S'  (16)+(10)+Thm.  7.1-2 

(16)  Every  control  arc  in  P  has  a  true  (false)  token  in  S' ’S'  iff  it 

has  one  in  S' S  (15)+Defs.  7. 1-2+3. 4-1 

(17)  There  is  an  entry  f  in  r)(S',2')  which  is  not  in  co  “  r)(S,2).  Let  the 

destination  in  T(f)  be  Dst(Ex(d,k) , j)  (6) 

(18)  d/(DL  =»  d  is  the  label  of  an  actor  in  P  =»  there  is  a  prefix  S'cp'  of 

2*  in  which  <p'  is  the  k1*1  firing  of  the  actor  labelled  d,  and  a 
token  is  removed  from  d's  number-j  input  arc  in  going  from  S' ‘S' 
toS''S'<p’  Def.  4.3-2+Alg.  4.3-1 


-425- 


(19)  =»  there  is  a  prefix  Sep  of  2  in  which  cp  is  the  firing  of  d,  and 

a  token  is  removed  from  d's  number-j  input  arc  in  going  from 

S' S  to  5*3<p  (14)+(16)+Defs.  3. 3-9+2. 1-5 

(20)  =»  there  is  an  entry  g  in  as  whose  transfer  has  destination 

Dst(Ex(d,k) ,j)  Alg.  4.3-1 

(21)  S'Q  equals  S’ *8'  (10)+(13)+Thm.  7.1-2 

(22)  d€DL  =»  there  is  an  arc  b,  uniquely  associated  with  d,  which  holds 

a  token  in  S' *2',  and  k  =  0  and  j  -  1  (17)+Alg.  4.3-1 

(23)  =»  b  holds  a  token  in  5*2  (21)+Defs.  7. 1-2+3. 4-1 

(24)  =»  there  is  an  entry  g  in  oi  whose  transfer  has  destination 

Dst(Ex(d,k),j)  (22)+Alg.  4.3-1 

(25)  There  is  an  entry  in  to,  hence  in  r)(S',2'),  whose  transfer  has  the 

same  destination  as  T(f)  (18)+(20)+(22)+(24)+(6) 

(26)  Since  f  is  the  only  entry  in  r)(S’,2')  whose  transfer  has  that 

destination,  that  entry  in  co  is  f;  i.e.  f  is  in  co  (25)+Def.  4.2-6 

Since  (3)  leads  to  a  contradiction  between  (17)  and  (26),  (3)  is  false; 

i.e.,  co  is  halted  in  J„. 

£> 

Theorem  7 . 3-1  For  any  Lp  program  P,  if  the  expansion  of  P  from  EE(Lp,M) 
is  determinate,  then  P  running  on  the  modified  interpreter  is  functional. 

Proof i 

(1)  Let  S ^  and  be  any  two  equal  modified  states  for  P,  and  let  2^ 

and  &2  b®  any  two  halted  firing  sequences  starting  in  S and 
respectively.  Then  P  is  functional  iff  e9ua^-8  5^*2^ 

Def.  2.4-4 

(2)  There  is  a  single  equivalence  class  E  of  initial  modified  states 
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for  P  that  contains  both  5^  and  s2  Cor.  2.4-1 

(3)  Let  "  r)(5^,Q^)  and  a>2  ■  t)(S2,22).  Then  and  a>2  are  both 

halted  in  (2)+Lemma  7.3-1 

(4)  Letting  the  expansion  of  P  be  (Int,*7),  J  is  in  J  (2)+Def.  4.3-2 

E 

(5)  and  0*2  are  equivalent  computations  under  a  one-to-one  pointer 

correspondence  F  (3)+(4)+Def.  6.1-1 

(6)  The,  sets  of  transfers  of  the  entries  in  and  are  identical 

(5)+Def .  6.1-1 

(7)  Every  arc  in  P  is  either  one  of  an  ordered  set  of  input  arcs  of  an 

actor  in  P  or  one  of  an  ordered  set  of  program  output  arcs  of  P 

Def.  2.1-1 

(8)  For  every  arc  b  in  P,  denote  by  AD(b)  the  destination 

Dst(Ex((d,j) ,0) ,1)  if  b  is  the  number-j  input  arc  of  actor  d 
Dst(Ex(("0D",i) ,0) ,1)  if  b  is  the  number-i  program  output  arc  (7) 

(9)  For  every  arc  b  in  P,  there  is  a  token  on  b  in  iff  there  is 

an  entry  in  whose  transfer  has  destination  AD(b) 

(8)+(3)+Alg.  4.3-1 

(10)  iff  there  is  an  entry  in  co2  whose  transfer  has  destination  AD(b)  (6) 

(11)  iff  there  is  a  token  on  b  in  52’22  (8)+(3)+Alg.  4.3-1 

(12)  Let  f  and  g  be  two  entries  from  co^  and  co2  respectively,  with  the 

same  transfer.  Then  V(f)  is  not  a  pointer  iff  V(g)  is  not  a 
pointer,  if  those  values  are  not  pointers,  then  they  are  the  same, 
and  if  those  values  are  pointers,  then  F(V(f))  is  defined  and 
equal  to  V(g)  (5)+Def.  6.1-1 

(13)  For  each  arc  b  in  P,  there  is  a  token  on  b  with  non-pointer  value 


v  in  iff  there  is  an  entry  in  co^  with  transfer  t  containing 
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destination  AD(b),  and  a  non-pointer  value  v  (8)+(3)+Alg.  4.3-1 

(14)  iff  there  is  an  entry  in  with  transfer  t,  containing  destination 

AD(b),  and  a  non-pointer  value  v  (6)+(12) 

(15)  iff  there  is  a  token  on  b  with  non-pointer  value  v  in  £2*82 

(8)+(3)+Alg.  4.3-1 

(16)  For  every  arc  b  in  F,  there  is  a  token  on  b  with  value  (p,R)  or 

(p.W),  p  a  pointer,  in  iff  there  is  an  entry  in  with 

transfer  t  containing  destination  AD(b)  and  pointer  value  p 

(8)+(3)+Alg.  4.3-1 

(17)  iff  there  is  an  entry  in  ^  with  transfer  t,  containing  destination 

AD(b),  and  pointer  value  F(p)  (5)+(12) 

(18)  iff  there  is  a  token  on  b  with  value  (F(p) ,R)  or  (F(p) ,W) ,  pa 

pointer,  in  S’j'flj  (8)+(3)+Alg.  4.3-1 

(19)  Let  Int  *  (St,  /, IE).  Then  Int  ■  Int(P) ,  and  dfSt-DL  iff  d  is  the 

label  of  an  actor  in  P  Def.  4.3-2 

(20)  Let  e  •  Ex(d,k)  be  any  execution  in  which  dfSt-DL.  Then  e  is 

initiated  in  (o^)  iff  there  are  In(  /(d))  input  entries  to  e  in 
0>1  (coj)  Def.  4.2-6 

(21)  e  is  initiated  in  co^  iff  e  is  initiated  in  (20)+(6)+Def .  4.2-5 

(22)  For  1*1,2,  $(00,)  is  the  reduction  of  2.  and  co.  is  in  J 

X  XX 

(l)+(3)+Lemma  4.3-3 

(23)  is  a  prefix  of  a  causal  permutation  of  ti(S^,2^)  (22)4Def.  4.3-5 

(24)  For  any  actor  d  in  P,  there  are  k  firings  of  d  in  2^  (or  2j)  iff 

Ex(d,k)  is  initiated  in  co^  (o^  and  Ex(d,k+1)  is  not  initiated 

(19)+(l)+(22)+(23)+Thm.  4.3-2 

(25)  There  are  the  same  number  of  firings  of  d  in  2^  and  22  (24)+(21) 
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(26)  If  d  is  a  gate,  let  j  be  such  that  d's  control  input  arc  is  its 

number-j  input  arc.  Then  the  value  of  the  token  removed  from  that 
arc  by  the  k**1  firing  of  d  in  2^  equals  V(Ent(Ex(d,k) , j))  in 

g>i  (o^)  (3)+Alg.  4.3-1 

(27)  Since  that  value  is  not  a  pointer,  V(Ent(Ex(d,k) ,j))  is  the  same 

in  and  so  the  k^  firings  of  d  in  2^  and  £>2  remove  control 
tokens  of  the  same  value  (26)+(12)+Def .  2.2-1 

(28)  For  any  two  actors  d  and  d'  and  for  any  k,  there  is  a  k'  such  that 

the  k**1  firing  of  d  in  2^  (^^  removes  a  token  from  an  output  arc 
of  d'  and  exactly  k'  firings  of  d'  precede  it  iff  there  is  an 
entry  in  (o^)  with  transfer  (Src(Ex(d' ,k') ,i) ,Dst(Ex(d,k) ,j)) , 
for  some  i  and  j  depending  on  the  arc  (3)+Alg.  4.3-1 

(29)  There  is  a  k'  such  that  if  the  k^  firings  of  d  in  2^  and  22  remove 

tokens  from  output  arcs  of  d',  then  those  firings  both  are  preceded 
by  exactly  k'  firings  of  d'  (28)+(6) 

(30)  For  any  arc  b  in  P  which  holds  tokens  of  pointer  value  in  5^*2^  and 

^2*^2'  e^tber  botb  are  read  pointers  or  both  are  write  pointers 

(25)+(27)+(29)+Lemma  7.2-5 

(31)  b  holds  a  token  of  value  (p,R)  ((p,W)),  p  a  pointer,  in  5^*2^  iff  b 

holds  a  token  of  value  (F(p),R)  ((F(p),W))  in  (16)+(18)+(30) 

Letting  the  heap  in  £ri*21  be  ■  (N|,n^,SMp,  1-1,2,  the  major  task 
remaining  is  to  prove  that  there  is  a  single  one-to-one  mapping  I:  -+ 

such  that,  for  every  value  (p,R)  or  (p,W),  p  a  pointer,  on  an  arc  in 

S1*21,  U’.n£(F(p))  -  U’.n{(p). 

(32)  Let  5^  and  be  tbe  initial  standard  states  for  P  corresponding 

to  5^  and  Sj*  Then,  for  i-1,2,  2^  is  a  firing  sequence  starting 
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in  s|,  and  (1)+Thm.  7.1-1 

(33)  is  the  heap  in  (32)+Def.  7.1-1 

(34)  For  i«*l,2,  there  is  a  halted  firing  sequence  starting  in  5' 

which  has  as  a  prefix  such  that  p^  *  ^(^^ , S2^)  is  SOE-inclusive 
of  co.  (l)+(32)+(3)+Thm.  7.1-3 

(35)  Qi  “  ^(s^.Sj)  is  a  prefix  of  (34)+Alg.  4.3-1 

(36)  coj.  W2»  a^»  a2*  p^»  an<*  ^2  are  a^  causa^-  computations  for  Int(P) 

(l)+(3)+(32)  +  (34)+(35)+Lemma  4.3-2 

(37)  For  i*l,2,  for  any  structure  operation  execution  e  =  Ex(d,k)  and 

any  j,  there  is  an  entry  Ent(e,j)  in  0^  iff  d  labels  a  structure 
operation  in  P,  there  are  k  firings  of  d  in  and  the  kth 

removes  a  token  from  d’s  number-j  input  arc  (35)+Alg.  4.3-1 

* 

(38)  iff  there  is  an  entry  Ent(e,j)  in  co^  (3)+Def.  2.2-5+Alg.  4.3-1 

(39)  There  is  an  entry  f  =  Ent(e,j)  in  =»  there  is  exactly  one  entry 

Ent(e,j)  in  p^,,  and  it  has  value  V(f)  (35)+(36)+Def .  4.2-6 

(40)  a  there  is  an  entry  g  ■  Ent(e,j)  in  0^  (37)+(38) 

(41)  =»  there  is  an  entry  Ent(e,j)  in  p^  with  value  V(g)  (34)+Def.  5.2-8 

(42)  =>  there  is  an  entry  Ent(e,j)  in  co^  with  value  V(f)  (39) 

(43)  For  any  structure  operation  execution  e  and  any  j,  there  is  an  entry 

Ent(e,j)  in  iff  there  is  an  entry  Ent(e,j)  in  cij 

(37)+(38)+(6)+Def.  4.2-6 

(44)  a  V(Ent  (e,j))  is  not  a  pointer  iff  V(Ent  (e,j))  is  not  a  pointer, 

al  a2 

if  those  values  are  not  pointers,  then  they  are  the  same,  and  if 

they  are  pointers,  then  V(Ent  (e,j))  -  F(V(Ent  (e,j))) 

a2  al 

(39)+(42)+(12) 

(45)  For  i"l,2,  for  any  structure  operation  execution  e,  e  is  initiated 
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in  iff  there  are  In(/(d))  input  entries  to  e  in  iff  there 
are  that  many  input  entries  to  e  in  iff  e  is  initiated  in  ^ 

(37)+(38)+Def.  4.2-6 

(46)  For  any  pointer  p,  p  is  the  value  of  the  output  entries  in  p^  of  a 

Copy  execution  C  =»  the  first  such  entry  in  p^  with  value  p  is  an 
output  entry  of  C  (32)+(34)+Lemma  5.2-3 

(47)  For  any  structure  operation  execution  e  initiated  in  a^»  and  any 

Assign,  Update,  or  Delete  execution  A,  efR(A)  in  p^  iff  e€R(A)  in 
only  if  A  is  initiated  in  (36)+(35)+(46)+Lemma  5.2-6 

(48)  a  e  is  initiated  in  <».  (45) 

(49)  =»  e€R(A)  in  »  iff  e€R(A)  in  p  (36)+(34)+(46)+Lemma  5.2-6 

(50)  For  any  structure  operation  execution  e  initiated  in  both  and 

a^,  and  any  Assign,  Update,  or  Delete'  execution  A,  e€R(A)  in 
iff  e€R(A)  in  iff  e*R(A)  in  o>2  iff  e£R(A)  in  a2 

(47)+(49)+(5)+Def.  6.1-1 

(51)  For  i=l,2,  let  the  heap  in  Sj  be  U^  *  (^.Fl^.SM^).  Let  NAR^  be  the 

node  activation  record  derived  from  and  a^.  Then  the  heap  in 
U|,  is  the  heap  determined  by  from  U^  and  NAR^ 

(32)+(35)+(33)+Thm.  5.2-1 

(52)  n±  £  n^,  and  for  all  (p,n),  (p,n)€TI^  -  iff  (p,n)(ran  HARj^ 

(51)+Def.  5.2-7 

(53)  iff  there  is  a  Copy  execution  C  such  that  NAR^(C)  ■  (p,n)  iff 

C  «  Ex(d,k)  where  the  k**1  firing  of  d  in  2^  is  (d,(p,n)) 

(51)+Defs .  5. 2-1+5. 2-4 

(54)  iff  there  is  an  entry  in  co^  with  value  p  whose  transfer  has  source 

Src(C,j)  for  some  j  (1)+Lemma  7.1-2 
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(55)  For  all  p€dom  TT|  -  dom  n^»  p  Is  the  value  of  an  entry  in 

(52)+(54)+(12) 

(56)  For  every  pointer  p,  pfdom  -  dom  iff  there  is  a  Copy  execution 

C  and  an  n  such  that  NAR^(C)  =  (p,n)  iff  there  is  an  entry  in 
whose  transfer  has  source  Src(C,j)  for  some  j  (52)+(53)+(54) 

(57)  iff  there  is  an  entry  in  a>2  whose  transfer  has  source  Src(C,j)  for 

some  Copy  execution  C  and  some  j  and  whose  value  is  F(p)  (6)+(12) 

(58)  iff  there  is  a  Copy  execution  C  and  an  n'  such  that  NAR2(C)  is 

(F(p).n')  iff  F(p)(dom  -  dom  n2  (52)+(53)+(54) 

(59)  Let  CC^  be  the  Creating-Copy  function  corresponding  to  NAR^.  Then 

for  any  pointer  p  and  Copy  execution  C,  CC^(p)  is  defined  and  equal 
to  C  iff  3n:  NAR^C)  -  (p,n)  iff  3n':  NAR2(C)  -  (F(p).n')  iff 
CC2(F(p))  is  defined  and  equal  to  C  (56)+(58)+Def .  5.2-5 

(60)  For  any  pointer  p,  p  appears  as  the  value  of  an  entry  in  => 

there  is  an  entry  in  co^  with  value  p  whose  transfer  has  a  source  s 
=»  there  is  an  entry  in  {3^  with  value  p  whose  transfer  has  source  s 

(34)+Def .  5.2-8 

(61)  A  F(p)  is  defined  and  there  is  an  entry  in  co2  with  value  F(p)  whose 

transfer  has  source  s  (6)+(12) 

(62)  =»  there  is  an  entry  in  p2  with  value  F(p)  whose  transfer  has  source 

s  (34)+Def.  5.2-8 

Prove  by  contradiction  that  for  any  pointer  p  which  appears  as  the  value 
of  an  entry  in  (p»P^)p(F(p) ,P2) .  Assume  this  is  false;  i.e., 

(63)  there  is  a  prefix  yf  of  co^  such  that,  for  every  pointer  q  which 

appears  as  the  value  of  an  entry  in  y,  (q»P^)p(F(q) *P2) »  ^ut  ^or 
p  -  V(f),  (p,p1)^(f(p),b2) 
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(64)  f  is  the  first  entry  in  co^  with  value  p  (63) 

(65)  Let  e  be  the  execution  of  which  f  is  an  output  entry.  Then  there 

is  an  entry  in  with  value  p  whose  transfer  has  source 
s  *  Src(e,j)  for  some  j  (63)+Def.  4.2-5 

(66)  p  is  the  value  of  source  s  in  p^,  F(p)  is  defined,  and  F(p)  is 

the  value  of  s  in  P2  (65)+(60)+(61)+(62)+Def .  4.2-6 

(67)  e  either  is  in  IE,  is  a  Copy  execution,  or  is  a  Select  execution 

which  is  in  no  reach  in  (36)+(64)+Lemma  5.3-8 

(68)  e  is  initiated  in  y  (63)+(65)+(36)+Def .  4.2-7 

(69)  e  is  initiated  in  co^,  hence  in  o>2  (45)+(6)+Def .  4.2-6 

(70)  efIE  «  (p,P1)p(F(p),p2)  (65)+(66)+Def.  5.1-10 

(71)  e  is  a  Select  execution  which  is  in  no  reach  in  =»  e  is  a  Select 


execution  which  is  in  no  reach  in  oo- 


(5)+Def.  6.1-1 


(72)  *  e  Is  in  no  reach  in  p^  or  p2  (69)+(36)+(34)+(46)+Lemma  5.2-6 

(73)  e  is  a  Select  execution  =»  there  is  an  Ent(e,l)  and  an  Ent(e,2)  in 

hence  in  u>2,  and  the  former's  values  are  pointers,  while  the 
latter's  are  not  pointers  (69)+(6)+Def .  4.2-6+Const.  5.1-1 

(74)  =»  there  are  entries  Ent(e,l)  and  Ent(e,2)  in  p^  and  P2»  aTM*  ^or 


j-1,2,  V(Ent  (e,j))  -  V(Ent  (e,j)) 


Pi 


co. 


(34)+Def.  5.2-8 


(75)  =»  V(EntQ  (e,2))  -  V(EntQ  (e,2))  and  V(Ent.  (e,l))  -  F(V(Ent„  (e,l))) 

Pi  °2  P2  Pi 

(12) 

(76)  A  V(Ent  (e,l))  ■  V(EntQ  (e,l))  is  the  value  of  an  entry  in  y 


05. 


P 


(73)+(68)+Def.  4.2-6 

(77)  -  (V (Ent-  (e,l)),p1)p(V(Entfl  (e,l)),p  )  (63)+(75) 

Pi  1  \>2 

(78)  e  is  a  Select  execution  which  is  in  no  reach  in  =* 

(66)+(71)+(72)+(73)+(75)+(77)+Def.  5.1-10 


(p,P1)p(F(p),P2) 
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(79)  e  is  a  Copy  execution  (63)+(67)+(70)+(78) 

(80)  There  is  an  entry  Ent(e,l)  in  y  of  pointer  value  q 

(68)+Def.  4.2-6+Const.  5.1-1 

(81)  (q,p1)p(F(q) ,p2) ,  there  are  entries  Ent(e,l)  in  p  and  P2, 

V(Ent  (e, 1))  -  q  and  V(EntQ  (e,l))  =  F(q) 

Pi  P2 


(82)  DD  (q,p)  and  DD.  (F(q),F(p)) 

H  ^2 


(80)+(63)+(6)+(12)+(34)-HDef .  5.2-8 

(66)+(81)+Def.  5.1-9 
p2 

(83)  q  *  p  (80)+(64) 

(84)  (p,p1)p(F(q),p2)  (83)+(82)+(81)+Def.  5.1-10 

(85)  (p,P1)p(F(p),p2)  (83)+(82)+(85)+Def.  5.1-10 

Since  (63)  leads  to  a  contradiction  with  (85),  (63)  is  false.  I.e., 

(86)  For  every  pointer  p  which  is  the  value  of  an  entry  in 

(p,P1)p(F(p),p2) 

(87)  For  any  pointer  p,  p  is  the  value  of  an  input  entry  to  a  structure 

operation  execution  in  =»  p  is  the  value  of  an  entry  in 

(37)+(39)+(42) 

(88)  =»  F(p)  is  defined  and  (p,Pj)io(F(p),p  )  (12)+(86) 

(89)  5^  and  S ^  are  equal  initial  standard  states  (l)+(32)+Thm.  7.1-2 

(90)  There  is  a  single  one-to-one  mapping  1^:  N  -*•  N2  such  that,  for  each 

arc  b  in  P,  Match((b,S£),  Ij,  (b.Sp)  (51)+(89)+Def .  2.4-3 

(91)  Define  a  mapping  Is  -►  Nj  by 

(  I.  (n)  if  n€N, 

I(n)  -  1  1 

(  n’(F(p))  if  n/{N^  and  F(p)  is  defined 

where  p  is  such  that  npp)  -  n 

(92)  For  all  ppdom  and  p2€dom  FT^,  p2  *  F(pp  and  p^  is  the  value  of 

any  entry  in  or  any  input  entry  to  a  structure  operation 


-434- 


execution  in  =»  [p^fdom  17^  =>  Pjfdom  (56)+(58) 

(93)  =»n2(p2)  =  I0I1(P1))]  (87)+(88)+(51)+(34)+(36)+Thm.  5.3-2 

(94)  a  [p^oo  n2  =.n^(p1)/&I1  (51)+Def.  2.2-1 

(95)  -n^(p2)  -  i(n'(Pl))]  •  n*(p2)  -  i<nj(Pl))  (9i) 

Next  prove  that  I  is  one-to-one 

(96)  Let  n  be  any  node  in  Nj.  n^N.^  =»  there  is  a  unique  n' CN2  such  that 

n'  -  I^n)  -  I(n)  (90)+(91) 

(97)  For  1*1,2,  NAR^  is  compatible  with  a^»  and  ran  NAR^  is  consistent 

with  U.  (32)+(35)+(51)+Lemma  5.2-2 

(98)  n^  =»  3p:  (p,n)€T7j  -  II  .  -  ran  NAR^  (51)+(52)+Def .  5.2-7 

(99)  =»  there  is  a  unique  p  such  that  17.}  (p)  ■  n  a  pedom  17}  -  dom  17 

(97)-H)ef .  5.2-3 

(100)  =»  F(p)  is  defined,  is  unique,  and  is  in  dom  17^  -  dom  172  ■  ran  NAR2 

(55)+(5)+(56)+(58)+(57) 

(101)  =>  there  is  a  unique  n'  »  I72(F(p))  *  I(n) (97)+(91)+Defs.  5. 2-3+5. 2-7 

(102)  Let  n^  and  n2  be  any  two  nodes  in  N^.  n^  is  in  N^  and  n2  is  not 
=»  Kn^)  -  1^(0^^),  which  is  in  N2,  and  I(n2)  =  n2(*(p)),  where  p 

is  such  that  nj^(p)  ■  n^N^  (90)+(98)+(101) 

(103)  =»  pfdom  -  dom  =»  F(p)€dom  n2  “  dom  l72(51)+(56)+(58)+Def .  2.2-1 

(104)  (F(p),n^(F(p)))en^  -  n2  -  ran  NAR2  (51)+Def .  2.2-1 

(105)  =»  I(n2)  -  n^(F(p))  is  not  in  N2  (97)+(51)+(91)+Def .  5.2-3 

(106)  I(n^)  *  I(n2)  m  either  n^  and  n2  are  both  in  N^  or  they  are  both 

not  in  (102)+(105) 

(107)  n^  and  n2  are  both  in  =»  I(n2)  ■  I(n^)  iff  I^(n2)  ■  I^(n^) 

(91)+(90) 

(108)  n^  and  n2  are  both  not  in  N^  »  I(n2)  »  Kn^)  =» 
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TT'(F(p2))  -  n^(F(Pl))  where,  for  i-1,2,  nj^)  =  n±  =»  F(Pl>  -  F(p2) 

(51)+Def .  2.2-1 

(109)  =>  Pl  -  p2  =>  nx  =  n2  (5)+(51)+Def .  2.2-1 

(110)  I  Is  one-to-one  (96)+(98)+(101)+(106)+(107)+(108)+(109) 

Next  prove  that  for  any  Assign,  Update,  or  Delete  execution  A  and  for  any 

a 

pointer  p,  duration  D(A)  extends  to  the  end  of  H  ^  Iff  D(A)  extends  to 

P 

the  end  of  H^p)  . 

d, 

(111)  Let  A  be  any  Assign  execution.  Then  D(A)  extends  to  the  end  of  H  1 

P 

Iff  either 

(111a)  Ent  (A,l)  is  the  last  number-1  input  entry  to  an  Assign  execution 
al 

in  that  access  history,  or 

a 

(111b)  there  is  no  such  entry  in  H  i,  and  CC..  (p)  is  defined  and  is  in 

P  ^ 

reach  R(A)  in  a;l  (97)+(51)+Def .  5.2-7 

(112)  For  any  structure  operation  execution  e,  e  is  initiated  in  iff 
e  is  initiated  in  iff  e  is  initiated  in  iff  e  is  initiated 


in  a- 


(45)+(6)+Def.  4.2-6 


a. 

(113)  For  any  structure  operation  execution  e,  Ent  (e,l)  is  in  H  x  iff 


its  value  is  p  and  e  is  initiated  in  a. 


Def.  5.1-4 


(114)  iff  e  is  initiated  in  a,  and  V(Ent  (e,l))  *  F(p)  (112)+(43)+(44) 


(115)  iff  Ent  (e,l)  is  in  H_,? 


F(p) 


Def.  5.1-4 


1  a 

(116)  (111a)  iff  Ent  (A,l)  is  in  H  1  and  there  is  no  Assign  execution 

a.  p 

A  a. 

A’  such  that  Ent  (A',1)  follows  Ent  (A,l)  in  H  1  with  no  inter- 
al  p 

vening  number-1  input  entry  to  an  Assign  execution  iff  Ent  (A,l) 

al 

ai  1 

is  in  H  and  there  is  no  Assign  execution  A'  such  that  Ent  (A',1) 


ai 

is  in  history  H  1  and  is  in  D(A)  in  a, 
P  1 


Def.  5.1-5 


a, 

(117)  iff  Ent  (A,l)  is  in  H  A  and  there  is  no  Assign  execution  A'  such 


that  Ent  (A',1)  is  in  that  history  and  A'  is  in  R(A)  in  a, 
al  1 

Def.  5.1-6 
a9 

(118)  iff  Ent  (A,l)  is  in  H  7  .  and  there  is  no  Assign  execution  A' 

‘ \P.J 

such  that  Ent  (A',1)  is  in  .  and  A'  is  in  R(A)  in  a0 
a2  JaPJ  ^ 

(113)+(115)+(114)+(50) 

(119)  iff  Ent  (A,l)  is  the  last  number-1  input  entry  to  an  Assign 


9 

execution  in  H_7 


Vp) 


Defs.  5. 1-5+5. 1-6 


(120)  For  any  pointer  p,  one  of  CC^(p)  or  CC2(F(p))  is  defined  both  are 


defined  and  are  equal  to  the  same  Copy  execution  C  (59) 

(121)  =,  for  i-1,2,  NARi(C)  is  defined  (59)+Def.  5.2-5 

(122)  3  C  is  initiated  in  both  and  a 2  (51)+Def.  5.2-4 

(123)  -  CC1(p)€R(A)  in  ^  iff  CC2(F(p)) €R(A)  in  a2  (50) 

(124)  (111b)  iff  there  is  no  number-1  input  entry  to  an  Assign  execution 


in  hf(p) 

(125)  and  CC2(F(p))  is  defined  and  is  in  R(A)  in 

(126)  (111a)  =»  A  is  Initiated  in 

(127)  (111b)  =>  A  is  initiated  in  a. 


(113)+(115) 

(120)+(123) 

(113) 

(36)+Lemma  5.3-8 


(128)  D(A)  extends  to  the  end  of  iff  D(A)  extends  to  the  end  of 

ai 

H  1  only  if  A  is  initiated  in  a 
P  1 

(lll)+(116)+(119)+(124)+(125)+(126)+(127)+Def .  5.2-6 

(129)  Let  U  be  any  Update  or  Delete  execution  initiated  in  a^.  Then 


V(Ent  (U,2))  -  V(Ent  (U,2)) 
2  1 


(43)+(44) 


Replacing  "Assign  execution  A"  with  "Update  or  Delete  execution  U  with 


V(Ent(U,2))  *  s"  in  (111)  through  (128)  yields  a  proof  of 

°  (X. 

(130)  D(U)  extends  to  the  end  of  iff  D(U)  extends  to  the  end  of 


■9 

i 


1 
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only  if  U  is  initiated  in  a. 


(129) 


(131)  For  any  pointer  p,  CC^(p)  is  defined  =»  there  is  a  Copy  execution 


C  and  a  node  n  such  that  NAR^(C) 


(p.n) 


ni  ”  ni 


there  is  an  entry  in 

(59)+(53)+(54) 
(52)+Def.  5.2-1 
(12) 
(56)+(58) 

(135)  For  any  pointer  p,  p  is  the  value  of  an  input  entry  of  a  structure 


co^  with  value  p 

(132)  a  (p,n)€ran  NAR^  » 

(133)  =»  F(p)  is  defined 


(134)  a  F(p)sdom  n2  ~  dom  n2 


operation  execution  in  =»  F(p)  is  the  value  of  an  entry  in  a2 


(43)+(44) 


(136)  «  there  is  a  prefix  0  of  &2  such  that  a  token  of  value  F(p)  is  on 

an  arc  in  £^*e  (34)+(35)+Alg.  4.3-1 

(137)  =»  F(p)  is  in  dom  n  in  S^'Q  (32)+Def.  2.3-1+Thm.  2.2-1 

(138)  =»  F(p)  is  in  dom  (33)+Def .  2.2-5 

(139)  Let  CP  be  the  set  of  pointers  {p|  p€dom  n|  and  p  is  the  value  of 
an  input  entry  to  a  structure  operation  execution  in  or  CC^(p) 
is  defined}.  For  any  p€CP,  F(p)  is  defined  and  is  in  dom  n2 

(87)+(88)+(131)+(134)+(135)+(138) 
Now  prove  that  for  any  p^CP,  SM^ftT^Wpj)))  =  I(SM|(n^(p1))) 

(140)  Let  be  F(p^)  and  let  n^  be  such  that  (p^fn^)^!^,  i*l,2.  Let 

^i’mi^  8UC^ 

If  (P^n^e^,  then  (q^n^)  -  (p^n^, 

otherwise,  Is  t*ie  unique  pair  in  such  that,  for 

p!  -  V(Ent  (CC  (p),l)),  DD  (q.,p!) 

1  Of  1  1  1 

(139)+(32)+(51)+(34)+(35)+Lemia  5.2-4 

(141)  (p^,n^)€II^  =  CC^(p^)  is  not  defined  a  p^  m  q^  =»  p^  is  the  value 
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of  an  input  entry  to  a  structure  operation  execution  in 

(131)+(132)+(140)+(139) 

(142)  a  (p2,n2)«n2  -  q2  -  p2  (139)+(56)+(58)+(140) 

(143)  *•  (p1.P1)p(p2»P2^  -  (q1.P1)p<q2»P2^  (87)+(88) 

(144)  (p1,n1)|?ni  -  (P2,n2)/(n2  «•  DD(i  (q^pj)  and  DDa  (q2»Pp 

(139)+(56)+(58)+(140) 


(145)  »  since  dynamic  descendancy  depends  only  on  the  entries  in  a 


computation,  DD^  (q^.pp  and  DD^  (q2»P2) 


(35)+Def.  5.1-9 


(146)  (p^tn^)jfflj  and  p^  is  the  value  of  an  entry  in  «•  CC^(p^)  is 

defined  and  Ent  (CC.(p  ),1)  is  in  a. 

al  1  1  , 

(32)+(34)+(35)+(51)+(59)+Lemma  5.2-3 

(147)  CC^pp  is  defined  -  NAR^(CC^(p^))  is  defined  <•  CC^fp^)  is 


initiated  in  a. 


Defs.  5. 2-5+5. 2-4 


(148)  -  Ent^  (CC1(p1),l)  is  in  Uj  Defs.  5. 1-1+4. 2-6 

(149)  (pj.n^H  nx  ■*  pj^  is  the  value  of  an  input  entry  to  a  structure 
operation  execution  in  and  CC^(p^)  is  defined  (139)+(146)-(148) 

(150)  -  (pj,P1)p(F(p|) ,p2)  (87)+(88) 

(151)  A  p'  -  V(Enta  (CC2(p2),l))  -  F(V(Enta  (CCj (Pj) , 1) ) )  -  F(Pp 

(140)+(59)+(43)+(44) 

(152)  -  (q1,P1)p(q2,P2)  (89)+(90)+(51)+(35)+(36)+(144)+(145)+Thm.  5.3-2 

(153)  (q1,P1)p(q2,P2)  ( 14 l)+( 143)+( 149) +( 1 5 2) 

(154)  SM2(m2)  -  I1(SM1(m1)) 

(89)+(90)+(51)+(32)+(35)+(36)+(140)+(153)+Thm.  5.3-2 


(155)  There  is  an  Assign  execution  A  such  that  D(A)  extends  to  the  end  of 
H  *  •  the  value  in  SMj(n.)  equals  V(Ent  (A, 2))  (51)+Def.  5.2-7 

Pj  11 
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(156)  a  D(A)  extends  to  the  end  of  H  ^  A  A  is  initiated  in  a  (140)+(128) 


(157)  =»  the  value  in  SH|(n^)  equals  V(EntQ  (A, 2))  (43)+(44) 

(158)  a  the  value  in  SM^(n?)  equals  V(Ent  (A, 2))  (51)+Def.  5.2-7 

"  1  a2 

(159)  There  is  no  Assign  execution  whose  duration  extends  to  the  end  of 

ai 

H  A  =>  the  value  in  SM^(n^)  equals  the  value  in  SM-^(m^) 

(51)+(140)+Def .  5.2-7 

(160)  a  there  is  no  Assign  execution  whose  duration  extends  to  the  end 

of  h“2  (140)+(128) 

p2 

(161)  =»  the  value  in  SM-J(n^)  equals  the  value  in  SJ^mj)  (154)+Def.  2.4-1 

(162)  a  the  value  in  SM^O^)  equals  the  value  in  SMj^) 

(51)+(140)+Def.  5.2-7 

(163)  The  value  in  SM^n^)  equals  the  value  in  SMj(n^) 

(155)+(157)+(158)+(159)+(161)+(162) 

(164)  For  any  selector  s,  there  is  an  Update  or  Delete  execution  U  such 

a 

that  V(Ent  (U,2))  =  s  and  D(U)  extends  to  the  end  of  H  ^  =>  there 
“l  P1 

is  an  ordered  pair  with  s  in  it  in  SM^(n^)  iff  U  is  an  Update 

(51)+Def.  5.2-7 

(165)  a  D(U)  extends  to  the  end  of  H  2  a  U  is  initiated  in  a9  (140)+(130) 

p2  2 


(166)  =>  V(Ent  (U,2))  ®  s 
a2 


(43)+(44) 


(167)  =»  there  is  an  ordered  pair  with  s  in  it  in  SM^nj)  iff  U  is  an 


Update 


(51)+Def.  5.2-7 


(168)  =»  there  is  an  ordered  pair  with  s  in  it  in  Iff  there  is  an 

ordered  pair  with  s  in  it  in  SM^(n^)  (164) 

(169)  For  any  selector  s,  there  is  an  ordered  pair  with  s  in  it  in 
SM^nij)  iff  there  is  an  ordered  pair  with  s  in  it  in  SM2(m2) 

(154)+Def.  2.4-1 
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(170)  For  any  selector  s,  there  Is  no  Update  or  Delete  execution  U  such 

a. 

that  V(Ent  (U,2))  -  s  and  D(U)  extends  to  the  end  of  H  1  =  there 
al  P1 

is  an  ordered  pair  with  s  in  it  in  SM^(n^)  iff  the  same  ordered 

pair  is  in  SM  (a  )  (51)+(140)+Def .  5.2-7 

(171)  a  there  is  no  Update  or  Delete  execution  U  such  that  V(Ent  (U,2)) 

a2 

is  s  and  D(U)  extends  to  the  end  of  H  ^  (130)+(43)+(44) 

p2 

(172)  =»  there  is  an  ordered  pair  with  s  in  it  in  SM^n^)  iff  the  same 

ordered  pair  is  in  (51)+(140)+Def .  5.2-7 

(173)  =»  there  is  an  ordered  pair  with  s  in  it  in  SM^n^)  iff  there  is  an 

ordered  pair  with  s  in  it  in  SM^(n^)  *  (170)+(169) 

(174)  For  every  selector  s,  there  is  an  ordered  pair  with  s  in  it  in 
SM’(n2)  iff  there  is  an  ordered  pair  with  s  in  it  in  SKj'fn^) 

(164)+(168)+(170)+(173) 

(175)  Let  s  be  any  selector  such  that  there  is  a  pair  (s,n^(r^))  in 

SM^n^.  Then  there  is  a  pair  (sJT^^))  in  SM^n^  (174) 

(176)  For  i-1,2,  n^r^fN’,  so  rifdoi  nj  (32)+(33)+Thm.  2.2-1 

(177)  Either  there  is  an  Update  execution  U  such  that  D(U)  extends  to 

ai  a, 

the  ends  of  H  1  and  H  *  and  U  is  initiated  in  a.,  or  (8,n!(r.)) 

Pj^  P2  1  i  i 

is  in  SM1(m1)  (175)+(164)+(165)+(170)+(172) 

(178)  There  is  an  Update  execution  U  such  that  D(U)  extends  to  the  ends 

of  both  and  HQ2  and  U  is  initiated  in  a.  *»  r  ■  V(Ent  (U,3)) 

11  ai 

(51)+Def.  5.2-7 

(179)  -  r2  -  F(rx)  (43)+(44) 

(180)  -  n^(r2)  -  Kn’O^))  (176)+(92)+(95) 

(181)  (B,n’(r1))€SM1(m1)  «»  n^(r2)  -  IjOl’^))  (154)+Def.  2.4-1 

(182)  a  n^(ri)€M1 


(51)+Def.  2.2-1 


(183)  -  n^(r2)  -  KIT^))  (91) 

(184)  For  any  selector  s,  there  Is  a  pair  (s.n^r^))  in  SM2(n2)  iff  there 
is  a  pair  (s.nj^r^)  in  SM’^)  and  n^,(r2)  “  ^l^l^ 

(174)+(175)+(177)+(178)+(180)+(181)+(183) 

(185)  For  every  pointer  p^CP,  SM^CT2(F(p)))  “  I(SK^(n^(p)))»  bo 
SM^(I(n'(p)))  -  I(SM^(IT|(p) ) ) (163)+(184)+(140)+(92)+(95) +Def .  2.4-1 

(186)  Let  p^  be  any  pointer  in  dom  but  not  in  CP  and  let  n^  be  n^(p^). 

Let  n2  be  l(n^),  and  let  p2  be  such  that  “  n2>  p2  is  the 

value  of  an  input  entry  to  a  structure  operation  execution  in  a2 

=»  p2  =  F(p')  where  p'  is  the  value  of  an  input  entry  to  a 
structure  operation  execution  in  (43)+(44) 

(187)  ~n^(p2)  =>  i(n;(p'))  (92)+(95) 

(188)  »  since  I  and  are  one-to-one,  p^  »  p',  which  is  in  CP 

(110)+(186)+(139)+Def.  2.2-1 

(189)  CC2(p2)\^Ls  defined  =»  CC^p')  is  defined,  where  p2  -  F(p')  (59) 

(190)  -  (P,,n’(p’))€n^  -  nx  (13D+U32) 


(191)  -n^p')^ 


(192)  -  I(n|(p'))  -  n^(p2)  -  n2 


(131)+(132) 
(51)+Def.  2.2-1 
(91)+(139)+(186) 


(193) 


Pl  ^CC/p.)  is  defined  =»  p.  €CP  (110)+(l86)+(139)+Def .  2.2-1 


(194)  p2  is  not  the  value  of  an  input  entry  to  a  structure  operation 
execution  in  a2  and  CC2(p2)  is  not  defined  (186)+(188)+(189)+(193) 

V 

(195)  For  1>1,2,  there  is  no  Assign,  Update,  or  Delete  execution  A  such 

that  Ent  (A,l)  has  value  p . ,  and  CC. (p.)  is  not  defined 

ill 

(186)+(194)+(139) 

(196)  No  Assign,  Update,  or  Delete  firing  in  has  p^  as  a  number-1 


pointer  input 


(195)+Alg.  4.3-1 
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(197)  (p^n^ai*  -  nt  =»  3C:  NAR1(C)  -  (p^np  -  CC1<p1>  is  defined 


(198)  (pi,ni)a7i 

(199)  SM'(ni)  -  SMi(ni) 


(52)+(53)+Def.  5.2-5 
(197)+(195) 
(198)+(196)+Defs.  3. 3-9+2. 2-5 


(200)  Let  p  be  any  pointer  which  appears  as  the  value  of  an  entry  in 

and  let  r  be  any  pointer  in  don  which  is  not  in  CP  such  that 

fl|(r)  is  reachable  in  Uj  from  a  node  m  which  is  either  n^(p)  or  a 
successor  in  of  l"!j(p).  Prove  that  SM^dOl^r)))  *  I(SM|(nj(r))) 

(201)  There  is  a  path  from  m  to  n^(r)  in  U^,  i.e.,  a  sequence  of  nodes 
n^,  n^,  ....  n^,  with  m  »  n^,  II^(r)  »  n^*  and  for  i«*l, . . .  ,k-l, 
n^+^  is  a  successor  of  n^;  that  is,  there  is  an  ordered  pair 


(a,n!+l)  is  SM^n1) 


(200)+Def .  2.2-2 


(202)  Let  J  be  such  that,  for  i«j,...,k,  D^’Cnp  is  not  in  CP.  Then 

for  i»J ....  ,k,  SM|(n4)  -  SM^n^  (186)+(199) 

(203)  There  is  a  path  from  n^  to  n^  in  (51)+(201)+(202)+Def .  2.2-2 

(204)  F(p)  is  defined  and  (p,p1)p(P(p) ,P2)  (200)+(16)+(87)+(88) 

(205)  j  ■  1  A  pfCP  =»  there  is  a  path  from  m  to  n^(r)  in  *»  there  is 

a  path  from  n{(p)  to  nj(r)  in  U1  (202)+(203)+(201)+(200) 

(206)  a  pfdom  nx  and  F(p)€dom  n2  (186)+(198) 

(207)  »  there  is  an  arc  of  P  which  holds  a  pointer  qj  in  Sj  such  that 
nA(p)  equals  oris  reachable  from  (qp  in 

(89)+(90)+(51)+(32)+(35)+(36)+(204)+Thm.  5.3-2 

(208)  »  m  ■  n^  equals  or  is  reachable  from  n^(qp  in 

(201)+(200)+Def .  2.2-2 

(209)  j  >  1  v  p€CP  «*  letting  pj  and  p^  be  such  that  n^  •  ^(Pj)  and, 

if  j  -  1,  Pj_j  •  p,  else  nj_j  *  n£(pj_j) ,  i8  in  CP*  80  ^ther 
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there  is  an  Update  execution  U  such  that  V(Ent  (U,3))  *  p  ,  or 

1  3 

there  are  two  pointers  qpdom  17  ^  and  q2fdom  such  that  (s,nj)  is 
in  SM1(ni(q1))  and  (q1,P1)p(q2,P2) 

(200)+(201)+(175)+(177)+(178)+(202)+(140)+(153) 

(210)  =»  since  p,*CP,  it  is  not  the  value  of  Ent  (U,3),  so  there  are  two 

J  1 

pointers  qpdom  17^  and  q2€dom  FI2  such  that  (s,nj)€SM^(n^(q^))  and 

(q1»P1)p(q2»P2)  (202)+(139) 

(211)  =>  there  is  a  q^  on  an  arc  in  such  that  n^qp  equals  or  is 
reachable  from  npqp  in  U^(89)+(90)+(51)+(32)+(35)+(36)+Thm.  5.3-2 

(212)  =»  n^  is  a  successor  of  n^qp  in  U^  so  n^  is  reachable  from 

^(qp  in  Ux  (210)+Def.  2.2-2 

(213)  There  is  a  pointer  q|  on  an  arc  b  in  Sj  such  that  n^  is  reachable 

from  npqp  in  (205)+(208)+(209)+(212) 

(214)  n^  is  reachable  from  n^(qp  in  (213)+(203)+Def .  2.2-2 

(215)  n^  -  nj(r)  -  ni(r) ,  so  is  in  (201)+(200)+(186)+(198) 

(216)  For  q^  the  pointer  on  b  in  ^.^(q^)  •1U^.n^(qp  (90)+Def .  2.4-2 

(217)  SM2(I1(ni(r)))  =  I1(SM1(ni(r)))  (214)+(215)+(216)+Def .  2.4-1 

(218)  SMpi(n’(r)))  -  I(SM’(npr)))  (200)+(186)+(199)+(215)+(91) 

(219)  Let  p  be  any  pointer  such  that  there  is  a  token  of  value  (p,R)  or 
(p,W)  on  an  arc  b  in  SpSj..  Then  p  appears  as  the  value  of  an 
entry  in  and  a  token  of  value  (F(p),R)  or  (F(p),W)  is  on  b 

in  52‘22  (16)+(19) 

(220)  npF(p))  -  impp))  (219)+(92)+(95) 

(221)  Let  n  be  any  node  which  equals  or  is  reachable  from  npp)  in  U’. 

Let  q  be  such  that  fl^q)  “  n.  Then  q€CP  •  SM^Clfa))  “  l(SM^(n)) 
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(185) 

(222)  q&P  =»  SM’(I(n))  -  I(SM'(n))  (219)+(200)+(218) 

(223)  SM^(I(n))  -  I(SM^(n))  (221)+(222) 

(224)  Uj.nj(F(p))  i  Uj.n^(p)  (220)+(221)+(223)+Def.  2.4-1 

(225)  There  is  a  one-to-one  mapping  I  under  which  for  each  arc  b  in  P, 
Match((b,S1-21),  I,  (b.S^)) 

(9)+(ll)+(13)+(15)+(31)+(110)+(219)+(224)+Def.  3.4-1 

Finally,  it  is  necessary  to  prove  that,  letting  the  pool  components  of 
5^’2^  and  *>e  ^1  an<*  ^2*  ^or  every  la^el  S  of  a  Select  operator, 

3py  s€Q1(p1)  ~  3p2s  s€q2(p2)  =*  u^.n*  (p2)  l  ujJi^pj) 

(226)  There  are  the  same  number  k  of  firings  of  S  in  2^  and  22  (24)+(25) 

(227)  Ex(S,k)  is  initiated  in  both  and  a>2  (226)+(24) 

(228)  For  1*1,2,  let  be  the  prefix  of  2^  in  which  <p^  is  the  last 

(kth)  firing  of  S.  Then  S  is  enabled  in  S  ’0  Def.  2.3-1 

(229)  In  9j,  S  is  in  no  pool,  and  there  are  no  tokens  on  its  output 

arcs  (228)+Defs.  3. 3-6+2. 1-4 

(230)  3p^:  SfQ^p^)  in  ^*^1  **  ^or  Prefl*es  of  2^  longer  than  0^, 

S€Qi(pi)  in  5i"Si  (228)+Def .  3.3-9 

(231)  •  there  is  no  prefix  A^cp^  of  2^  containing  exactly  k  firings  of  S 

such  that  tokens  appear  on  the  number-1  output  arcs  of  the  actor 
labelled  S  in  the  transition  from  to  •  A^J  Def.  3.3-9 

(232)  *•  there  is  no  entry  in  whose  transfer  has  source  Src(Ex(S,k) ,1) 

(19)+Lemma  4.3-1 

(233)  *  there  is  no  token  on  a  number-1  output  arc  of  S  in  and 

there  is  no  prefix  longer  than  9^<p^  in  which  <p^  removes  a 
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token  from  such  an  arc  (228)+(226)+Alg.  4.3-1 

(234)  =»  there  Is  no  prefix  of  containing  exactly  k  firings  of  S 

such  that  tokens  appear  on  the  number-1  output  arcs  of  S  in  the 
transition  from  to  S^’A^tp^  (229) 

(235)  3p^:  S^Q^(p^)  in  **  there  is  no  entry  in  whose  transfer  has 

source  Src(Ex(S,k) ,1)  (230)+(232)+(234)+(231) 

(236)  There  is  no  entry  in  whose  transfer  has  source  Src(Ex(S,k) ,1) 

iff  there  is  no  such  entry  in  (Oj  (6) 

(237)  3Pl:  S€Q1(p1)  in  iff  3?2:  SfQ^)  in  S^2  (235)+(236) 

(238)  For  i-1,2,  S€Q  (p±)  in  S ^  =»  S€Q±(Pl)  in  5^0^  (230) 

(239)  =>  S€Qi(pi)  in  Fire(51-0±tS)  Def.  3.3-9 

(240)  =»  letting  5^0^.  be  (I^.U^.Q^),  there  are  tokens  of  value  on 

S's  number-1  output  arcs  in  Standardp^Strip^^.S)  ,U^)  ,S)Def .  3.3-9 

(241)  =»  letting  IT  be  (Nj,n^,SMp,  the  pair  (si>n"(pi))  is  in  SM'^(pJ)) 
where  p^  and  s^  are  the  values  of  the  tokens  on  S's  pointer  and 
selector  input  arcs,  respectively,  in  Strip^^.S)  Defs.  3. 3-7+2. 2-5 

(242)  =>  (si,n^(pi))€SM^(n^(Pp)  where  pj  and  s^  are  the  values  of  the 

tokens  on  S's  pointer  and  selector  input  arcs  in  which  are 
removed  by  <p^  (228)+Def.  3.3—8 

(243)  -  (8i,n^(pi))€SM,^(n^(Pp)  where  p^  -  V(EntM  (Ex(S,k),l))  and 

s,  ■  V(Ent  (Ex(S,k),2))  »  s.  *  s„  (12)+Alg.  4.3-1 

i  12 

(244)  0^  is  a  firing  sequence  starting  in  and  ^ 

(32)+Thm.  7.1-1 

(245)  is  the  heap  in  S’’*01  (240)+(244)+Def .  7.1-1 

(246)  Let  y  be  and  let  NAR^  be  the  node  activation  record 

derived  from  and  y^.  Then  is  the  heap  determined  by  from 
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U±  and  NAR| 


(32)+(244)+(245)+Thm.  5.2-1 


(247)  Let  6.^  be  r)(5^,6i<pi) .  Then  6^^  is  a  causal  prefix  of  co^ 

(228)+Lemma  4.3-2+Alg.  4.3-1 

(248)  S^Q^(p^)  in  =*  *  Ent6  (®x(s »k)  »1)  is  in  6^  but  not  in  Y^ 


and  has  value 


(238)+(243)+(228)+Alg.  4.3-1 


i  j 

(249)  **  for  any  Update  execution  U,  I(D(U)  extends  to  the  end  of  Hp,  and 
V(Enty  (U,2))  -  8±  iff  ft€D(U)  in  6±  and  V(Entg  (U,2))  -  s1 

(228)+Lemma  5.2-7 

(250)  iff  Ex(S,k)€R(U)  in  6  (243)+Def.  5.1-8 

(251)  iff  Ex(S,k)€R(U)  in  coj  (247)+(36)+(32)+(34)+Lemma  5.2-3+Lemma  5.2-6 

Y- 

(252)  =»  D(U)  extends  to  the  end  of  H  }  and  V(Ent  (U,2))  ■  s,  iff 

P1  Y1 

Ex(S,k)€R(U)  in  ^  and  V(Entw  (U,2))  -  sL  iff  Ex(S,k)*R(U)  in  &>2 

1  Y, 

and  V(Ent  (U,2))  *  s„  iff  D(U)  extends  to  the  end  of  H  f  and 


V(Ent  (U,2))  -  s 
T2 


(247)+(12)+(243)+Def .  6.1-1 


(253)  53  [D(U)  extends  to  the  end  of  H  *  and  V(Ent  (U,2))  »  s. 

Pj  t  .  i 


V(Ent  (U,3) ) 


(243)+(246)+Def .  5.2-7 


(254)  =»  p^  is  the  value  of  an  entry  in  and  p2  “  F(p^)  (12) 

(255)  -U^.n»(p2)  l  U|.n|(Pl)]  (219)-(224) 

Y. 

(256)  A  [£U:  D(U)  extends  to  the  end  of  H  ,  and  V(Ent,  (U,2))  »  s,  =» 

r,  pl  Yi  1 

?U:  D(U)  extends  to  the  end  of  H  f  and  V(Ent  (U,2))  ■  s_  "* 

P2  t2  i 

letting  n^  be  such  that  (p^.n^QlJ,  and  defining  (q  .in^)  by 

if  (p*,^)^,  then  (q^t^)  -  (p^,^), 

otherwise,  (q^.m^^)  is  the  unique  pair  in  such  that 

V(Ent  (CC  (p'),l))  is  dynamically  descended  from  q.  in  y. 

Y4  i  i  1  1 


(s1,n;(Pi))^«Hi(m1) 


(243)+(246)+Def .  5.2-7 
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(257)  =»  by  the  same  reasoning  as  (140)-(154),  since  p|€CP, 

SM2(m2)  -  I1(SM1(m1))  (243)+(37)+(38)+(39)+(42)+(139) 

(258)  -  n^(p2)  -  I(n^(Pl))  (91)+Def .  2.4-1 

(259)  A  appears  as  the  value  of  an  entry  in  and  nj(p^)  is  a 

successor  of  n|(q^)  in  (243)+(256)+Defs.  5. 1-9+2. 2-2 

(260)  =»  for  any  node  n  reachable  from  n|(p^)  in  U^,  letting  r  be  such 

that  nj(r)  -  n,  r€CP  =>  SM^(I(n))  -  I(SM’(n))  (185) 

(261)  A  r*CP  =>  SM’(I(n))  =  I(SMj(n))]  (200)+(218) 

(262)  S€Q1(pi)  in  =  U^.n’(p2)  i  Uj.n{(Pl) 

(248)+(253)+(255)+(256)+(258)+(260)+(261)+Def.  2.4-1 

(263)  52*S22  equals  5  'fij.  (225)+(237)+(262)+Def .  7.1-2 

(264)  P  is  functional  (l)+(263) 


Q.E.D. 
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Chapter  8 

Summary  and  Conclusions 

This  final  chapter  consists  of  four  sections.  The  first  recapitulates 
the  goals  of  the  thesis,  summarizes  the  steps  taken  toward  achieving  them, 
and  exhibits  the  ultimate  results.  Section  8.2  evaluates  these  results  to 
see  how  well  the  goals  have  been  met.  Section  8.3  presents  suggestions 
for  further  research  (Including  several  already  undertaken  by  the  author) . 
Section  8.4  completes  the  thesis  with  a  brief  set  of  conclusions  about 
the  significance  of  the  work  which  it  reports. 

8 . 1  Summary 

The  primary  goal  of  the  thesis  is  to  develop  a  language  1^  and  an 
interpreter  for  it,  together  with  a  translation  algorithm  which  takes  any 
well-behaved  program  P  into  an  program  which  is  equivalent  to  P 
and  maximally  concurrent.  The  secondary  goal  is  to  render  the  results  in 
as  general  a  form  as  possible,  so  that  they  may  more  easily  be  applied  to 
models  of  concurrent  computation  other  than  data  flow. 

Lgg,  the  data-flow  language  with  structures  as  storage,  offers  the 
prospect  of  maximal  concurrency,  but  runs  afoul  of  the  problem  of  non- 
functionality:  Every  program  P  is  functional,  so  any  program  equiva¬ 
lent  to  P  must  also  be  functional  (precise  definitions  of  functionality 
and  equivalence  are  given  in  Section  2.4).  A  simple  translation  of  P 
into  LgS  yields  a  program  P'  which,  on  the  standard  interpreter,  may  have 
more  concurrency  than  P,  but  also  may  be  non-functional.  The  solution 
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pur  sued  here  is  to  retain  the  structure-as-storage  operations,  but  modify 
the  interpreter  so  that  at  least  a  subset  of  L  (which  includes  P') 
is  functional. 

It  is  argued  in  Section  3.1  that  the  only  practical  way  to  guarantee 
functionality  is  to  guarantee  freedom  from  conflict.  A  program  P  is 
conflict-free  iff  the  following  is  true  for  every  initial  state  S  for  P 
and  any  two  structure  operators  d^  and  d^  in  P:  If  there  is  a  firing 
sequence  2  starting  in  S  in  which  the  i*"*1  firing  of  d^  potentially  inter¬ 
feres  with  the  firing  of  d^  (Table  3.1-1),  which  it  follows,  then  those 
firings  are  sequenced  by  5;  i.e.,  the  itl*  firing  of  d^  follows  the  jth 
firing  of  d^  in  every  firing  sequence  starting  in  S.  Freedom  from  conflict 
actually  implies  a  much  stronger  condition:  determinacy.  A  program  is 
determinate  if  all  halted  firing  sequences  starting  in  equal  initial  states 
not  only  produce  equal  final  states,  but  do  so  "in  the  same  way".  The 
first  major  contribution  of  the  thesis  is  a  "scheme",  the  combination  of 
a  restriction  on  L  programs  and  a  modification  of  the  interpreter,  which 
eliminates  conflict  and  so  guarantees  determinacy,  hence  functionality. 

The  scheme  distinguishes  between  pairs  of  potentially-interfering 
firings  in  2  on  the  basis  of  whether  the  two  firings  are  in  the  same  or 
in  different  blocking  groups  (a  blocking  group  is  the  set  of  firings  in  2 
all  of  which  receive  their  primary  pointer  inputs  from  the  same  program 
input  or  Copy  or  Select  firing) .  In  the  case  of  two  such  firings  in  the 
same  blocking  group,  it  is  assumed  that  a  simple  analysis  of  the  program  P 
will  reveal  whether  those  firings  are  sequenced  by  all  initial  states  of  P. 
It  ia  further  assumed  that,  if  necessary,  P  can  be  re-written  (by 
inserting  sequencers)  so  that  it  satisfies  the  Determinacy  Condition,  which 
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is:  For  any  Initial  state  S  of  P  and  structure  operators  and  in  P, 

th 

if  there  is  a  firing  sequence  starting  in  5  in  which  the  i  firing  of  d^ 
and  the  j**1  firing  of  d^  potentially  interfere  and  are  in  the  same  blocking 
group,  then  those  firings  are  sequenced  by  S.  The  validity  of  these 
assumptions,  i.e.,  the  ease  of  testing  and  re-writing  P,  is  evaluated  later 
(Section  8. 2. 1.3).  The  only  immediate  concern  is  for  those  L__  programs 

SO 

produced  by  the  translation  from  L^;  it  is  proven  that  these  do  satisfy 
the  Determinacy  Condition. 

Sequencing  a  pair  of  firings  in  different  blocking  groups  is  accomp¬ 
lished  by  two  modifications  of  the  standard  interpreter.  The  first 
replaces  simple  pointers  with  read  and  write  pointers  as  the  values  of 
tokens.  The  only  non-pi-output  arcs  on  which  write  pointers  can  appear 
are  the  number-1  output  arcs  of  Copy  operators.  A  requirement  that  every 
firing  of  a  write-class  operator  (Assign,  Update,  or  Delete)  has  a  write 
pointer  as  its  primary  input  is  met  by  another,  simple  restriction  on 
programs,  the  Read-Only  Condition.  The  second,  key  modification  of  the 
interpreter  causes  it  to  withhold  tokens  of  read-pointer  value  (p,R)  from 
the  output  arcs  of  a  Select  operator  so  long  as  any  arc  holds  a  token  of 
write-pointer  value  (p,W).  The  subset  of  L^g  consisting  of  those  programs 
satisfying  both  the  Determinacy  and  Read-Only  Conditions  is  the  language 
Lp  sought.  The  standard  interpreter  with  the  above  two  changes  is  the 
desired  modified  Interpreter,  on  which  all  programs  are  functional. 

Section  3.4  completes  the  achievement  of  the  primary  goal  by  present¬ 
ing  an  algorithm  to  translate  any  program  F  into  an  L^g  program  P' . 

P'  is  in  Lp,  and  if  every  program  is  functional  (and  P  is  well-behaved), 
then  P'  is  equivalent  to  P  (Theorem  3.4-3). 


The  secondary  goal  of  the  thesis  is  that  the  proof  of  L^'s  function¬ 
ality  should  be  as  general  as  possible,  to  make  it  applicable  to  other 
models  of  concurrent  computation  which,  like  L  ,  incorporate  the 
structure-as-storage  operations.  To  this  end,  the  entry-execution  model 
is  introduced  (in  Chapter  4) .  This  model  focuses  just  on  the  definitions 
of  operations,  including  how  their  input-output  behaviors  may  depend  on 
the  order  in  which  they  are  executed;  details  of  concurrent-control  and 
local -memory  structure  are  abstracted  away.  The  general  form  of  an  entry- 
execution  model  is  presented  in  Section  4.2;  Section  4.3  exhibits  an 
algorithm  for  constructing  the  model  EE(L,I)  from  any  data-flow  language 
L  and  interpreter  I.  Section  5.1  develops  the  Structure-as-Storage  (S-S) 
entry-execution  model,  to  illustrate  the  technique  of  defining  a  set  of 
interacting  operations  by  constraints  on  computations;  the  proof  that  the 
model  of  LgS  on  the  standard  interpreter  is  an  S-S  model  verifies  that 
the  operations  defined  are  the  structure  operations  in  L  . 

Chapter  6  first  defines  determinacy  in  entry-execution  terms,  specif¬ 
ically,  a  determinate  expansion.  It  then  presents  a  set  of  axioms  on  an 
expansion  which  are  sufficient  to  guarantee  its  determinacy  (Theorem  6.4-1). 
Chapter  7  proves  that  the  model  of  on  the  modified  interpreter, 

EE(Lp,M),  is  an  S-S  model  (Theorem  7.1-4)  in  which  every  expansion 
satisfies  the  axioms  (Lemma  7.2-1,  Theorems  7.2-1,  7.2-3,  and  7.2-5). 

It  also  proves  that  if  the  expansion  of  program  P  from  EE(L^,M)  is  deter¬ 
minate,  then  P  is  functional  (Theorem  7.3-1).  These  lead  to  the  following 


ultimate  results: 
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Thaorem  8.1-1  Every  program  running  on  the  modified  interpreter  Is 
functional. 

Proofs  Theorem  7.1-4,  Lemma  7.2-1,  Theorems  7.2-1,  7.2-3,  7.2-5,  6.4-1, 
and  7.3-1. 

A 

Corollary  8,1-1  For  any  well-behaved  program  P,  the  program  produced 
from  P  by  Algorithm  3.4-1  is  equivalent  to  P. 

Proof :  Theorems  8.1-1  and  3.4-3. 

Q.E.D. 

This  certifies  that  the  first  part  of  the  primary  goal  has  been  met.  The 
next  section  evaluates  (among  other  things)  progress  toward  both  the  other 
part  of  this  goal  (maximal  concurrency)  and  the  secondary  goal  of  general 
applicability  of  the  results. 

8.2  Evaluation 

This  section  evaluates  the  two  major  contributions  of  the  thesis: 

(1)  the  scheme  for  guaranteeing  doterminacy  and  (2)  the  entry-execution 
model.  The  major  issue  regarding  the  scheme  is  whether  or  not  it  yields 
the  greatest  possible  concurrency  possible  in  each  program.  The  simple 
answer  is:  No;  a  more  meaningful  reply  is  developed  below  in  the  form  of 
a  crude  cost-benefit  analysis,  which  takes  into  account  implementation 
considerations.  The  evaluation  of  the  model  is  necessarily  subjective. 

The  true  test  of  Its  worth  would  he  e  measure  of  how  much  the  results 
expressed  In  Its  terms  can  simplify  proofs  about  other  concurrent- 
computation  syatems  with  data  atructurea;  as  yet,  no  such  proofs  have 


been  undertaken. 
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8.2.1  The  Scheme 

Each  of  the  two  parts  of  the  scheme  for  guaranteeing  determinacy 
Incurs  a  separate  cost:  Any  physical  Implementation  of  the  standard  data¬ 
flow  Interpreter  (Section  8. 2. 1.1  below)  must  have  additional  hardware 

to  withhold  Select  outputs  (Section  8. 2. 1.2);  then  an  arbitrary  L  program 

BS 

must  be  tested  to  see  if  it  satisfies  the  Determinacy  and  Read-Only 
Conditions  (Section  8. 2. 1.3).  The  benefit  of  the  scheme  is  that  it 
provides  the  maximum  concurrency  possible  without  a  far  more  extensive 
and  costly  hardware  modification  (Section  8. 2. 1.4). 

8. 2. 1.1  A  Data-Flow  Processor 

A  physical  implementation  of  a  data-flow  interpreter  is  a  data-flow 
processor.  Estimating  the  added  hardware  required  in  the  modified  data¬ 
flow  processor  necessitates  first  understanding  the  envisioned  form  and 
function  of  the  standard  processor,  the  four  major  components  of  which 
are  diagrammed  in  Figure  8.2-1  [14J. 

The  Data-Flow  Control  Unit  (DFCU)  stores  the  configuration  component 
of  the  interpreter  state  and  recognizes  enabled  actors.  It  consists  of 
a  number  of  homogeneous,  autonomous  instruction  cells,  each  of  which 
stores  all  the  information  about  one  actor  d: 

1.  a  code  for  the  function  associated  with  d, 

2.  for  each  input  arc  of  d,  a  flag,  indicating  whether  there  is  a  token 
on  that  arc,  and  if  so,  the  value  of  that  token,  and 

3.  for  each  output  arc  of  d,  a  destination  tag,  which 

a.  identifies  that  arc  as  a  particular  input  arc  of  a  particular 
other  actor,  and 
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b.  indicates  whether  it  is  a  number-1  or  number-2  output  arc  of  d. 
Logic  within  the  cell  recognizes  when  d  is  enabled,  i.e.,  has  tokens  on 
the  requisite  set  of  input  arcs.  Whenever  this  happens,  the  contents  of 
the  cell  are  bundled  into  an  operation  packet,  which  is  transmitted 
serially  through  one  of  several  output  ports  of  the  DFCU. 

All  function  evaluation  is  done  by  the  complement  of  functional  units 
(FU's).  There  are  several  distinct  types  of  FU's,  and  there  may  be  several 
of  each  type  available  on  any  processor.  The  different  types  may  include, 
e.g.,  an  integer  arithmetic  unit,  a  floating-point  arithmetic  unit,  and 
assorted  input/output  controllers.  The  number  of  each  type  is  dictated 
by  economics,  with  processing  power  distributed  according  to  demand. 

Function  codes  (as  well  as  data)  are  meaningless  to  the  DFCU;  no 
internal  discrimination  is  made  among  actors  having  different  codes.  Thus 
the  type  of  FU  needed  to  evaluate  a  packet  emerging  from  a  DFCU  output  port 
is  totally  unpredictable.  One  role  of  the  Arbitration  Network  (AN)  is  to 
sort  the  stream  of  operation  packets  at  each  port  into  the  proper  FU  types, 
based  on  a  partial  decoding  of  function  codes.  Since  there  may  be  fewer 
FU's  of  a  given  type  than  there  are  DFCU  output  ports,  simultaneous 
demands  for  the  same  FU  can  arise;  arbitration  of  these  demands  is  the 
second  purpose  of  the  AN. 

When  an  FU  receives  an  operation  packet,  it  executes  the  indicated 
function  on  the  ordered  set  of  input  values  contained  in  the  packet, 
producing  result  packets .  Each  result  packet  consists  of  a  copy  of  a 
result  of  that  execution,  paired  with  one  of  the  destination  tags  from  the 
received  operation  packet.  Result  packets  enter  the  Distribution  Network 
(DN) ,  where  they  are  sorted  and  directed  into  the  proper  one  of  several 
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input  ports  of  the  DFCU.  The  destination  tag  in  each  result  packet  selects 
one  input  arc  of  one  actor;  upon  entering  the  DFCU,  the  result  is  stored 

in  the  proper  location  of  the  instruction  cell  for  that  actor,  where  it 

sets  the  flag  indicating  the  arrival  of  a  new  token. 

The  Structure  Memory  (SM)  is  one  type  of  FU,  which  executes  just  the 
eight  structure  operations.  The  issues  of  how  the  SM  stores  a  heap  and 
performs  operations  on  it  need  not  be  addressed  here.  One  aspect  of  the 
SM  functioning,  however,  is  essential  to  explaining  the  modifications  to 
be  made:  storage  reclamation.  Contrary  to  the  simplifying  assumption  made 
in  the  thesis,  the  sets  of  nodes  and  pointers  implemented  in  any  physical 
processor  are  finite.  To  postpone  saturation  of  the  SM  for  as  long  as 

possible,  the  storage  occupied  by  the  content  of  a  node  n  will  be 

reclaimed,  as  will  the  pointer  p  to  n,  whenever  n  becomes  inaccessible. 

A  node  becomes  inaccessible  whenever  there  is  no  pointer  to  it,  or  to  any 
node  from  which  it  is  reachable,  on  an  arc  in  the  configuration.  Once  n 
becomes  Inaccessible,  p  can  never  again  appear  on  an  arc,  and  so  no  more 
operations  can  ever  be  performed  on  n's  content.  In  this  case,  there  is 
no  need  to  retain  that  content,  so  the  storage  it  occupies  is  reclaimed 
for  use  in  storing  the  contents  of  accessible  nodes;  similarly,  p  is  made 
available  to  point  to  any  new  node  activated  by  a  subsequent  Copy  firing. 

Of  the  two  principal  techniques  for  detecting  inaccessible  nodes,  the 
one  most  easily  implemented  in  hardware  is  reference  counting:  For  each 
node  n  in  the  SM,  there  is  one  reference  count  (non-negative  integer) 
associated  with  n  and  another  associated  with  the  pointer  p  to  n.  The 
structure  reference  count,  SRC(n) ,  is  the  number  of  nodes  of  which  n  is 
a  successor;  the  execution  reference  count ,  ERC(p),  is  the  number  of  tokens 
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with  value  p  In  the  configuration.  Whenever  ERC(p)  -  SRC(n)  ■  0,  there 
la  no  pointer  to  n  on  any  arc  and  there  Is  no  node  from  which  n  Is  reach¬ 
able;  therefore,  n  is  certainly  Inaccessible. 

At  any  particular  time,  there  will  be  only  a  relatively  few  non-zero 
execution  reference  counts.  This  argues  for  storing  only  these  non-zero 
counts,  in  what  must  be  an  associative  memory.  This  ERC  Memory  (ERCM)  will 
store  associations  of  pointers  with  positive  integers  (keyed  on  the 
pointers).  The  following  algorithm  correctly  maintains  the  ERCM  contents: 
Whenever  an  operation  packet  containing  a  pointer  p  leaves  the  DFCU,  find 
the  value  associated  with  p  in  the  ERCM  and  decrement  it  by  one;  if  it 
goes  to  zero,  delete  the  association.  Whenever  a  result  packet  with 
value  p  leaves  the  SM,  look  for  an  associated  ERC(p);  if  one  is  found, 
increment  it  by  one,  otherwise  add  an  association  pairing  p  with  an  ERC 
of  one. 


8.2.1. 2  The  Processor  Modifications 

Assuming  that  the  above  mechanism  for  maintaining  execution  reference 
counts  is  already  available  in  a  standard  data-flow  processor  (as  is  most 
likely  [1,31]),  the  necessary  modifications  are  simple:  Each  pointer 
value  p  transmitted  outside  the  SM  (through  the  DN,  DFCU,  and  AN)  must  be 
replaced  by  one  of  (p,R)  or  (p,W),  either  of  which  is  one  bit  longer  than 
p.  The  SM  must  append  the  correct  value  of  that  bit  to  each  result  packet 
generated  by  the  execution  of  a  Copy  or  Select  operator;  this  value 
depends  on  which  operation  was  executed  and  on  whether  the  destination  tag 
in  that  packet  indicates  a  number-1  or  a  number-2  output  arc  of  the 
operator.  Two  execution  reference  counts,  ERC^(p)  and  ERC^(p) ,  must  be 
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kept  for  each  pointer  p;  these  are  the  numbers  of  tokens  with  value  (p,R) 
and  (p,W),  respectively,  on  arcs  of  the  configuration.  The  node  n  to  which 
p  points  is  inaccessible  only  when  ERCR(p)  -  ERCy(p)  *  SRC(n)  ■  0. 

Implementation  of  the  withholding  of  Select  outputs  follows  the 
formal  specification  quite  closely:  Before  result  packets  with  value  (p,R) 
generated  by  a  Select  execution  leave  the  SM,  look  for  a  non-zero  value  of 
ERC^(p).  If  none  is  found,  release  those  packets  into  the  DN.  If  ERC^(p) 
is  greater  than  zero,  divert  those  packets  into  a  separate  associative 
memory,  the  Pool  Memory  (PM) .  Whenever  ERC^(p)  is  decremented  to  zero 
(as  the  last  operation  packet  with  value  (p,W)  leaves  the  DFCU) ,  find  all 
result  packets  with  value  (p,R)  in  the  PM  and  release  them  into  the  DN. 

The  formal  specification  of  the  modified  interpreter  (Section  3.3.1) 
utilizes  a  two-step  state  transition,  which  was  claimed  to  most  accurately 
model  the  simplest  implementation.  The  basis  for  this  can  now  be  seen: 

As  noted,  the  only  difference  between  a  two-step  and  a  one-step  transition 
arises  in  the  case  of  a  Select  firing  which  inputs  the  last  token  of  value 
(p,W)  and  outputs  tokens  of  value  (p,R).  In  the  above  implementation , 
ERC^(p)  will  be  reduced  to  zero  as  the  SM  starts  executing  the  Select 
operation,  before  the  result  values  are  known.  By  the  time  result  (p,R) 
is  produced,  ERCy(p)  will  be  zero,  so  the  result  packets  will  not  be 
withheld.  This  is  just  the  behavior  Implied  by  the  two-step  transition. 

Current  trends  in  technology  suggest  that  the  cost  of  hardware  to 
Implement  the  logic  to  withhold  Select  outputs  will  be  far  exceeded  by 
that  of  the  additional  memory  required.  Under  this  assumption,  the  cost 
of  modifying  a  standard  data-flow  processor  in  accordance  with  the  scheme 
for  guaranteeing  determlnacy  is  composed  of  the  following  items: 
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1.  The  size  of  the  ERCM  must  be  increased  to  accomodate  separate  counts 
for  read  and  write  pointers.  For  each  pointer  p  with  any  non-zero 
reference  count,  both  p  and  the  count  must  be  stored  in  this  assoc¬ 
iative  memory.  Since  the  length  (in  bits)  of  p  is  probably  greater 
than  that  of  a  reference  count,  it  is  most  efficient  to  store  just 
one  association,  of  p  with  the  pair  (ERCR(p) ,  ERC^Cp)).  Then,  e.g., 
for  an  SM  capacity  of  16  million  nodes  and  reference  counts  of  less 
than  256,  the  size  of  the  ERCM  must  be  increased  by  25%  (from  32  to 
40  bits  per  association) . 

2.  An  associative  Fool  Memory  must  be  added.  This  must  store  all  result 
packets  which  are  being  withheld  at  any  time;  its  size  is  impossible 
to  forecast  without  simulation  studies. 

3.  Data  paths  through  the  DN,  DFCU,  and  AN  may  have  to  be  made  one  bit 
wider,  but  only  if  their  width  equals  the  length  of  a  pointer.  In 
that  case,  the  decision  probably  would  be  instead  to  make  pointers 
one  bit  shorter,  cutting  the  maximum  SM  capacity  to  half  as  many 
nodes . 

It  is  very  significant  that,  except  for  a  possible  widening  of  data 
paths,  none  of  the  modifications  affects  the  DFCU,  AN,  or  DN,  or  the 
actual  structure  storage  mechanism  within  the  SM;  they  are  restricted 
primarily  to  the  interface  between  the  SM  and  the  DN. 

8. 2. 1.3  The  Program  Restrictions 

Modifying  the  interpreter  is  only  one  of  two  parts  of  the  scheme  for 
guaranteeing  determlnacy  of  a  program  F.  The  other  is  the  requirement 
that  P  is  in  Lp,  i.e.,  satisfies  the  Determlnacy  and  Read-Only  Conditions. 
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Within  the  narrow  scope  of  the  goal  of  the  thesis,  this  part  of  the  scheme 
has  zero  cost:  it  has  been  proven  that  Algorithm  3.4-1  translates  every 

Sv 

establishing  whether  determlnacy  is  guaranteed  requires  examining  the 
program.  Hie  growth  of  the  computational  effort  of  this  examination  with 
program  size  is  an  important  "figure  of  merit"  for  the  scheme. 

The  essence  of  the  Read-Only  Condition  is  to  force  the  primary  input 
to  every  write-class  execution  to  be  a  write  pointer.  Compliance  with  this 
restriction  is  so  trivially  checked  in  hardware  that  any  effort  spent 
analyzing  the  program  for  it  would  be  extravagant.  It  is  assumed  therefore 
that  the  arrival  at  the  SM  of  any  operation  packet  containing  the  code  for 
a  write-class  operation  along  with  a  read  pointer  as  the  number-1  input 
causes  an  exception,  indicating  that  the  program  is  not  guaranteed 
determinate. 

The  Determlnacy  Condition  concerns  every  two  potentially-interfering 
firings  in  a  common  blocking  group  in  any  firing  sequence  starting  in  any 
initial  state  S'  of  P.  By  the  Static/Dynamic  Group  Relationship,  a  firing 
of  actor  d^  and  a  firing  of  actor  are  in  the  same  blocking  group  in  any 
firing  sequence  only  if  d^  and  are  in  the  same  maximal  pointer  distri¬ 
bution  group  (m.p.d.g.)  in  P  (Definition  3.2-1).  Since  one  of  d^  and  d2 
must  be  write-class,  the  Read-Only  Condition  implies  that  that  m.p.d.g. 
must  be  G(K(C,1))  for  some  Copy  operator  C.  Table  3.1-1  may  show  that, 
because  of  their  operations,  no  firings  of  d^  and  d^  can  potentially 
Interfere.  If  d^  is  an  Update  or  Delete  and  d2  is  a  Select,  Update,  or 
Delete,  firings  of  them  potentially  interfere  only  if  they  have  the  same 
selector  input;  it  may  be  possible  to  prove  that  this  never  occurs  for 


program  into  an  program.  For  an  arbitrary  LfiS  program  P,  however. 
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firings  in  the  same  blocking  group.  Otherwise,  all  firings  of  d^  and  d^ 
in  the  sane  blocking  group  must  be  sequenced  by  all  initial  states  of  P. 

As  mentioned  at  the  end  of  Section  3.3,  the  following  is  believed  to  be 
sufficient  for  such  sequencing,  if  P  is  well-formed:  either  d^  and  d^ 
are  in  separate  branches  of  the  same  conditional  construct,  or  there  is  a 
directed  path  in  P  from  one  to  the  other. 

Therefore,  for  every  Copy  operator  C  in  P,  every  write-class  operator 
in  G(K(C,1) )  must  be  checked  against  every  other  structure  operator  in 
G(K(C,1))UG(K(C,2)) ,  first  to  see  if  there  can  be  potentially-interfering 
firings  of  those  actors  in  a  common  blocking  group,  and  then  if  so,  to 
see  if  those  firings  are  sequenced.  Thus  the  effort  expended  for  each 
m.p.d.g.  may  grow  as  fast  as  the  square  of  the  number  of  structure  opera¬ 
tors  in  it.  It  is  reasonable  to  expect,  however,  that  this  number  would 
be  bounded  from  above  by  some  relatively  small  constant.  If  so,  then  the 
total  effort  required  to  determine  whether  an  arbitrary  LfiS  program  is 
guaranteed  determinate  is  proportional  to  the  number  of  Copy  operators  in 
it;  l.e.,  grows  linearly  with  program  size. 

This  completes  the  projection  of  the  costs  of  the  scheme  for  guaran¬ 
teeing  determinacy.  Next  it  is  argued  that  the  benefit  of  the  scheme  is 
that  it  provides  the  maximum  concurrency  possible  without  far  more 
extensive  modifications  of  the  DFCU. 

8. 2. 1.4  Degree  of  Concurrency 

Section  2.3.3  (q.v.)  provides  a  measure  of  concurrency  and  uses  it  to 
compare  the  L^y  program  AlterV2  and  a  similar,  but  non-functional 
program  AlterS2.  That  analysis,  based  on  Assumptions  2.3-1  and  2.3-2, 
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concludes  that  the  minimum  elapsed  time  required  to  "correctly"  execute 
AlterS2  is  2S  less  than  that  for  AlterV2,  which  Is  at  most  8S  (S  Is  the 
time  required  to  execute  a  Copy);  this  is  a  reduction  of  at  least  25%. 
Translating  AlterV2  into  produces  AlterS2'  (Figure  3.4-2),  which,  when 
run  on  the  modified  interpreter,  is  functional,  and  so  always  executes 
"correctly".  The  only  difference  between  AlterS2  and  AlterS2'  is  the 
insertion  in  the  latter  of  a  sequencer,  which  forces  Select  to  fire 
after  Update  .  That  sequencer  is  on  one  of  the  maximal-execution-time 
paths.  Therefore,  the  minimum  elapsed  time  required  to  execute  AlterS2' 
is  greater  than  that  for  AlterS2  by  the  execution  time  of  a  sequencer. 

A  sequencer  should  take  less  time  to  execute  than  a  Copy,  probably  much 
less  time.  Hence  the  improvement  in  elapsed  time  from  AlterV2  to  AlterS2' 
will  probably  be  a  few  per  cent  less  than  the  improvement  from  AlterV2 
to  AlterS2,  but  it  should  still  be  at  least  20Z. 

Lj.  programs  on  the  modified  interpreter  are  in  general  not  maximally 
concurrent.  Loss  of  concurrency  occurs  whenever  the  firing  of  one  actor 
is  delayed,  even  though  all  its  inputs  are  available,  until  another  actor 
has  fired,  but  the  two  firings  do  not  potentially  interfere.  The  circum¬ 
stances  under  which  such  losses  occur,  and  the  further  processor  modifi¬ 
cations  necessary  to  reduce  their  frequency,  are  discussed  below,  in  the 
two  cases  that  the  firings  in  question  are  in  the  same  or  in  different 
blocking  groups. 

With  an  optimal  algorithm  for  achieving  the  Determlnacy  Condition, 
concurrency  is  lost  between  firings  in  the  same  blocking  group  of  two 
actors  d^  and  d^  only  in  the  following  case:  one  is  an  Update  or  Delete, 
the  other  is  a  Select,  Update,  or  Delete,  and  it  could  not  be  proven  that 
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every  two  firings  of  d^  and  d^  in  any  common  blocking  group  would  have 
different  selector  inputs.  This  implies  that  the  unnecessary  delay  of  a 
firing  of  d^  until  after  a  firing  of  d^  can  only  be  detected  and  corrected 
as  it  occurs,  i.e.,  by  processor  hardware.  An  unnecessary  delay  is  indi¬ 
cated  by  the  conjunction  of  the  following  three  circumstances:  (1)  both 
inputs  to  d^  are  available  (i.e.,  are  stoted  in  the  instruction  cell  for 
d^  in  the  DFCU) ,  (2)  the  selector  input  to  d^  is  available  (since  d^  is 
being  delayed  unnecessarily;  i.e.,  the  selector  inputs  are  known  to  be 
distinct) ,  and  (3)  another  input  to  d^  is  not  available  (otherwise  d^  would 
have  fired) .  Avoiding  the  delay  requires  checking  that  the  cells  for  all 
Update,  Delete,  or  Select  operators  in  the  same  m.p.d.g.  as  d^  store  either 
a  different  selector  input  or  a  different  pointer  input  than  d^'s  cell.  In 
general,  this  calls  for  a  pair  of  comparators  between  every  two  cells  in 
the  DFCU  which  can  hold  structure  operators,  a  very  expensive  proposition. 

A  firing  of  d^  in  one  blocking  group  can  be  delayed  until  after  a 
firing  of  in  another  blocking  group  without  regard  to  whether  the  two 
could  potentially  Interfere,  as  in  the  following  case:  A  Select  firing  has 
generated  a  result  packet  containing  value  (p,R)  which  is  destined  for  d^’s 
input,  but  that  packet  is  being  withheld  until  ERC^(p)  goes  to  zero,  which 
will  not  happen  at  least  until  the  firing  of  d^ •  Thus  even  though  the 
input  to  d^  has  been  generated  and  could  have  arrived  at  the  cell  for  d^, 
it  will  not  do  so  until  d^  fires.  This  happens  even  if  those  firings  could 
never  potentially  interfere,  e.g.,  if  d^  is  a  Fetch  and  d^  is  a  Delete. 

Such  inter-blocking-group  concurrency  losses  may  be  reduced  by  a 
further  refinement  of  the  echeme:  The  two  classes  of  structure  operations, 
read  and  write,  are  partitioned  into  five  subclasses.  The  write  class  is 
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split  into  the  write-value  (Assign)  and  the  write-branch  (Update  and 
Delete)  subclasses.  Since  a  Copy  (unfortunately)  reads  both  value  and 
branches,  the  read  class  must  be  divided  into  three  subclasses:  read-value 
(Fetch),  read-branch  (Select,  First,  and  Next),  and  read-all  (Copy).  There 
are  five  corresponding  types  of  tagged  pointers.  A  Copy  operator  must  have 
three  distinct  groups  of  output  arcs  (write-value,  write-branch,  and  read), 
and  a  Select  must  have  four  (the  three  read  subclasses  plus  a  control 
output).  Finally,  there  must  be  three  execution  reference  counts:  one  for 
write-value  pointers,  one  for  write-branch  pointers,  and  one  for  all 
read  pointers. 

The  major  costs  of  these  further  modifications  to  each  of  the  compon¬ 
ents  of  the  processor  are  as  follows:  DFCU,  AN,  and  DN  -  a  pointer  data 
path  which  is  two  bits  wider  (or  a  reduction  in  SM  capacity  of  75%) ,  and 
destination  tags  which  are  one  bit  longer  (to  distinguish  four  groups  of 
output  arcs  instead  of  two).  SM  -  one  more  ERC  to  store  (a  size  increase 
of  20%,  assuming  as  before  24-bit  pointers  and  8-bit  ERC's). 

In  conclusion,  the  following  claims  are  made  about  the  degree  of 
concurrency  among  structure  operate  ui.der  certain  "ground  rules": 

Only  the  SM  can  be  modified  -  The  orl  al  modified  processor  is  maximally 
concurrent  (although  the  maximum  SM  capacity  may  have  to  be  reduced 
to  half  as  many  nodes,  if  the  standard  processor  data  paths  are  not 
wider  than  a  pointer) . 

The  DFCU  may  be  modified  slightly  -  The  refinement  sketched  above, 
requiring  one  extra  bit  in  each  destination  tag,  is  maximally 
concurrent. 

Under  at  least  the  first  ground  rule,  the  thesis  meets  its  primary  goal. 
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8.2.2  The  Model 

The  secondary  goal  of  the  thesis  is  to  make  the  proofs  of  the  correct¬ 
ness  of  the  scheme  for  guaranteeing  determinacy  as  general  as  possible, 
in  hopes  of  shortening  future  proofs  about  concurrent-computation  systems 
other  than  data  flow  which  use  the  scheme.  The  basic  proofs  concern  how 
the  outputs  of  an  execution  depend  on  the  inputs  to  it  and  to  preceding 
executions;  any  medium  for  their  expression  should,  therefore,  convey  this 
information  with  as  few  extraneous  details  as  possible. 

The  entry-execution  model  is  a  good  such  medium.  In  each  computation, 
there  is  one  entry  for  each  value  input  to  every  execution,  each  value 
output  by  every  execution  is  listed  in  at  least  one  entry,  and  execution 
order  is  indicated  by  initiation  order.  The  steps  in  using  this  model  to 
prove  that  determinacy  is  guaranteed  in  any  system  are  listed  at  the  start 
of  Chapter  4.  As  evidenced  by  the  length  of  Chapter  7,  this  likely  will 
not  be  an  easy  chore;  only  experience  will  tell  if  it  is  easier  than  it 
would  be  without  the  results  about  entry-execution  models  developed  in 
Chapter  6. 

An  important  additional  application  of  the  entry-execution  model  is 
in  describing  the  behavior  of  physical  processors.  A  computation  can  be 
viewed  as  a  behavior  of  a  data-flow  processor,  under  the  following  inter¬ 
pretation:  An  execution  corresponds  to  an  operation  packet.  An  operation 
packet  is  "grown"  in  the  instruction  cell  for  an  actor  as  an  accumulation 
of  result  packets.  When  a  full  set  of  result  packets  has  been  received, 
the  actor  is  fired;  i.e.,  the  operation  packet  is  sent  to  a  Functional 
Unit.  There  it  generates  result  packets,  which  are  sent  through  the  DN 
to  the  proper  incipient  operation  packets  in  the  DFCU.  Thus  the  entry 
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of  a  result  packet  Into  the  DN  marks  the  transfer  of  a  value  from  an  output 
of  one  operation  packet  to  an  input  of  another.  Substituting  "execution" 
for  "operation  packet",  this  is  just  the  definition  of  an  entry.  Under 
this  interpretation,  the  algorithm  for  reconstructing  the  firing  sequence 
$(a>)  from  the  entry  sequence  co  (Definition  4.3-4)  reads:  Accumulate  the 
entries  (result  packets)  which  are  the  inputs  to  an  execution  (operation 
packet);  when  the  initiating  (last)  one  arrives,  register  a  new  firing. 

This  is  just  the  principle  of  operation  of  the  DFCU. 

A  computation  (sequence  of  entries)  potentially  provides  a  much  more 
precise  description  of  processor  behavior  than  a  firing  sequence.  The 
latter  implies  that  at  most  one  FU  is  active  at  a  time:  An  FU  is  active 
for  as  long  as  it  takes  to  execute  the  operation  of  one  firing,  and  only 
after  that  is  finished  is  another  FU  activated  by  the  next  firing  in  the 
sequence.  In  a  real  processor,  however,  an  FU  is  active  for  some  of  the 
time  between  the  completion  of  the  operation  packet  for  a  firing  and  the 
arrival  at  the  DN  of  the  first  of  the  associated  result  packets.  On  the 
above  interpretation  of  computations,  this  active  period  corresponds  to 
the  interval  between  the  initiation  of  an  execution  and  that  execution's 
first  output  entry.  Since  such  intervals  can  overlap,  a  computation  can 
describe  concurrent  activity  by  several  FU's. 

Unfortunately,  the  full  descriptive  potential  inherent  in  computations 
is  not  realized  by  the  model  EE(L,I)  of  data-flow  language  L  and  inter¬ 
preter  I,  as  the  following  demonstrates:  If  the  data-flow  processor 
Implementing  I  is  running  program  P,  then  for  any  actor  d  in  P,  there  is 
an  instruction  cell  in  the  DFCU.  Initially,  some  number  n  of  d's  input 
arcs  are  empty.  That  cell  will  first  recognize  d  as  enabled  at  some  time 
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after  the  time  tg  at  which  the  result  packet  destined  for  the  cell 
enters  the  DN.  The  cell  will  then  send  an  operation  packet  to  an  FU,  where 
result  packets  are  generated;  the  first  of  these  enters  the  DN  at  some  time 
t^  >  tg.  It  is  always  possible  that  no  other  result  packet  enters  the  DN 
between  t^  and  t^  (unless,  as  explained  later,  d  is  a  Select  and  this  is 
the  modified  processor) . 

Each  job  J  in  the  expansion  of  P  from  EE(L,I)  consists  of  all  the 
computations  generated  by  I  when  started  in  any  of  some  equivalence  class 
of  initial  states  for  P.  Ideally,  those  computations  would  be  the 
descriptions  of  all  possible  behaviors  of  the  processor  implementing  I 
when  started  in  any  of  those  initial  states.  If  this  were  so,  then  by  the 
above,  for  any  af6g€J  in  which  f  is  the  nth  (initiating)  entry  to  Ex(d,l) 
and  g  is  any  output  entry  of  that  execution,  afg  would  be  in  J  (i.e.,  none 
of  the  entries  in  6  would  have  to  appear  between  f  and  g) .  But 
Definition  4.3-5  imposes  an  additional  restriction  on  computations  in  J: 
for  every  input  entry  h  to  g's  target  execution,  the  execution  of  which  h 
is  an  output  entry  must  be  initiated  in  af.  This  is  an  artificial  restric¬ 
tion,  not  reflecting  any  physical  processor  characteristic,  and  so  inval¬ 
idates  EE(L,I)  as  an  accurate  description  of  the  Implementation  of  I. 

A  model  in  which  that  restriction  is  removed  would  provide  a  descrip¬ 
tion  of  the  standard  processor  which  is  both  accurate  and  significantly 
more  precise  than  firing  sequences.  For  the  modified  processor,  the 
restriction  cannot  be  removed  entirely,  as  there  is  a  case  in  which  certain 
result  packets  may  have  to  enter  the  DN  between  t^  and  t^:  If  the  result 
packet  entering  at  t^  has  value  (p,R),  ERC^(p)  >  0  at  tQ,  meaning  that 
some  instruction  cell  is  storing  the  value  (p,W),  and  that  cell  needs  more 
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inputs  before  it  is  enabled.  The  following  redefinition  contains  a 
suitable  restriction,  producing  an  accurate  description  of  the  behavior 
of  either  processor: 

Definition  8.2-1  Let  S  be  any  initial  state  for  a  data-flow  program  P, 
and  let  2  be  any  halted  firing  sequence  starting  in  S.  Then  the  set 
J,,  of  computations  for  S  and  2  consists  of  each  permutation  8  of  r](£,2) 
which  satisfies  all  of  the  following: 

1.  $(p)  is  the  reduction  of  2. 

2.  p  is  causal. 

3.  For  every  prefix  af  of  p,  let  6  be  the  prefix  of  2  whose  reduction 
is  $(a) ,  let  the  destination  in  T(f)  be  Dst(Ex(d,k) , j) ,  and  let  b 
be  the  arc  given  by: 

dfDL  »  b  is  the  number- j  input  arc  of  the  actor  labelled  d 
d  »  (c,n)  and  c  "OD"  =»  b  is  the  number-n  input  arc  of  the 
actor  labelled  c 

d  »  (c,n)  and  c  •  "OD"  =>  b  is  the  number-n  program  output  arc 
Then  there  is  a  token  on  b  in  S'0. 

A 

This  revision  affects  the  proofs  only  of  the  following:  Lemma  4.3-3, 
Leona  5.3-2,  Lemma  7.2-8,  and  Theorem  7.2-5.  While  the  effects  on  the 
first  three  of  these  are  minor,  the  last  one,  the  proof  of  persistence, 
would  be  extremely  difficult  without  the  original  restriction.  As  it  has 
been  proven  that  every  expansion  in  the  original  model  is  determinate, 
however,  it  should  be  possible  to  work  backwards  to  prove  that  every 
expansion  in  the  revised  model  is  persistent.  Since  all  other  proofs 
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apply  to  the  revised  model  (with  minor  reworking) ,  every  expansion  in  the 
revised  model  is  determinate.  This  is  a  very  powerful  statement  about  the 
behavior  of  a  correct  physical  implementation  of  a  data-flow  interpreter. 

8.3  Suggestions  for  Further  Research 

This  section  presents  two  types  of  suggestions:  (1)  resolving 
questions  previously  raised,  about  the  scheme  and  the  model  as  presently 
constituted,  and  (2)  exploring  proposed  extensions. 

8.3.1  Open  Questions 

Several  unsolved  problems  have  been  noted  in  the  course  of  the  thesis, 
many  of  them  in  the  just-concluded  section  evaluating  the  proven  results. 
These  are  summarized  below: 

1.  Confirm  a  general  syntactic  test  for  the  Determinacy  Condition.  It 
is  known  how  to  identify  those  pairs  of  actors  of  which  all  firings 
in  the  same  blocking  group  must  be  sequenced.  It  is  believed  that 
in  a  well-formed  program,  it  is  sufficient  that  for  every  such  pair, 
either  each  actor  is  in  a  separate  branch  of  a  conditional  construct 
or  there  is  a  directed  path  between  them.  This  claim  has  thus  far 
successfully  resisted  extensive  efforts  at  a  proof. 

2.  Devise  a  syntactic  means  of  recognizing  potential  hangups.  The 
following  line  of  attack  seems  promising:  The  blocking,  diagram  for 
program  P  is  a  graph  with  one  node  for  each  Copy  and  Select  operator 
in  P.  An  arc  is  drawn  from  the  node  for  Select  S  to  that  for  Copy  C 
iff  there  is  a  directed  path  in  P  from  S  to  any  actor  in  the  m.p.d.g. 
G(K(C,1)).  An  arc  is  drawn  from  the  node  for  C  to  the  node  for  S  iff 
a  firing  of  S  could  ever  output  the  same  pointer  as  a  firing  of  C. 
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A  hangup  occurs  when  (a)  output  tokens  are  being  withheld  from  S's 
output  arcs  until  an  actor  in  G(K(C,1))  fires,  but  (b)  that  actor 
cannot  fire  until  tokens  appear  on  S's  output  arcs.  This  situation 
implies  the  existence  of  a  directed  cycle  in  the  blocking  diagram. 


3.  Prove  that  every  expansion  in  the  revised  entry-execution  model  of 

on  the  modified  Interpreter  (just  described  in  Section  8.2.2)  is 
persistent,  hence  determinate. 

4.  Conduct  more  detailed  studies  Comparing  the  benefits  and  costs  of 
on  the  modified  interpreter  against  those  of  on  the  standard 
interpreter.  The  major  benefit  claimed  for  1^  is  increased  concur¬ 
rency.  Classes  of  "toy"  programs  in  which  structure  operations 


predominate  may  yield  analytical  comparisons,  such  as  that  between 
AlterV2  and  AlterS2;  simulation  of  a  set  of  real  programs  is  needed 


to  discover  the  actual  concurrency  advantage,  if  any.  Establishing 
the  Incremental  cost  of  the  modified  processor  must  await  determin¬ 


ation  of  the  base  cost  of  the  standard  processor,  including  the  SM. 


5.  Resolve  the  problem  introduced  by  the  ability  to  use  Structure-as- 
Storage  operations  to  build  a  heap  containing  directed  cycles 
(directed  cycles  cannot  be  constructed  using  just  the  Structure-as- 
Value  operations  [12]).  The  presence  of  cycles  does  not  directly 
impact  the  determinacy  scheme,  but  it  does  confound  the  reference¬ 
counting  method  of  storage  reclamation:  In  a  directed  cycle  in 
which  every  node  is  inaccessible,  every  node  still  has  a  predecessor, 
hence  a  non-zero  structure  reference  count;  thus  the  storage  for 
cycles  is  never  reclaimed.  Several  solutions  suggest  themselves: 


-471- 


a.  Run  only  programs  which  sure  equivalent  to  LgV  programs.  Such  a 
program  does  not  build  cycles,  but  Is  more  concurrent  than  Its 
LgV  counterpart. 

b.  In  the  same  vein,  encase  all  write-class  operators  In  a  set  of 
procedures,  similar  to  those  defined  In  [21]  to  Implement  a 
relational  data  base.  It  may  then  be  possible  to  prove  that  no 
program  using  just  these  procedures  can  build  a  cycle. 

c.  Prevent  or  mark  each  cycle  dynamically,  during  execution  of  the 
Instruction  which  would  create  it.  This  involves  finding  all 
nodes  reachable  from  that  pointed  to  by  the  number-3  input  of  an 
Update,  to  see  if  the  node  pointed  to  by  the  number-1  input  is 
among  them. 

d.  Enhance  the  SM  with  an  incremental  garbage  collector  [16].  This 
is  an  independent  processor,  which  traces  and  marks  all  access¬ 
ible  structures  (i.e.,  beginning  with  pointers  having  non-zero 
ERC's),  and  then  reclaims  all  unmarked  nodes. 

6.  Design  a  Structure  Memory,  a  Functional  Unit  which  directly  and 
efficiently  executes  a  set  of  structure  operations. 

8.3.2  Extensions 

This  section  discusses  several  partially-developed  extensions  of  both 
the  scheme  and  the  model.  The  major  extension  of  the  scheme  is  motivated 
by  a  significant  implementation  inefficiency  inherent  in  the  structure 
operations  presented  earlier.  The  problem  is  illustrated  by  Figure  2.3-5d, 
which  is  the  final  state  in  a  sequence  starting  in  the  initial  state  of 
program  Alters  shown  in  Figure  2.3-4.  The  heap  in  the  final  state 
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contains  both  the  component  which  was  a  program  input  (nodes  m^  and  m^) 
and  the  component  which  is  a  program  output  (nodes  n^  and  n2> . 

This  portends  inefficiency  in  a  physical  SH  if,  in  the  initial  state, 
SRC(nij)  ■  0  and  ERCj^p^HERC^p^)  »  2,  where  p^  is  the  pointer  to  m^. 

I.e.,  there  are  only  two  tokens  with  value  (p^.R)  or  (p^.W)  in  the  DFCU,  and 
these  are  on  arcs  in  Alters.  As  a  consequence,  in  the  final  state, 

SRCOn^)  *  0  and  ERC^(p^)  *  ERC^(p^)  ■  0,  so  the  storage  for  can  be 

reclaimed.  Included  in  that  reclamation  is  an  implicit  Delete  of  all 
branches  emanating  from  m^;  i.e.,  for  each  successor  n  of  m^  (including 
m^),  the  number  of  branches  terminating  on  n,  which  is  SRC(n),  is  reduced 
by  one.  Assuming  that,  in  the  initial  state,  SRC^)  =  1  and 
ERCr(p2)+ERCw(p2)  ■  0,  where  p2  is  the  pointer  to  n^,  will  be  inaccess¬ 
ible,  hence  eligible  for  reclamation,  as  soon  as  m^  is  reclaimed.  The 
program  output  component  (n^  and  n^)  is  almost  identical  to  the  program 
input  component.  Therefore,  the  effect  of  the  program  is  to  copy  its 
input  component,  with  a  minor  alteration,  and  then  discard  that  component. 

It  is  far  more  sensible  to  make  the  minor  change  directly  to  the  input 
component,  and  then  output  the  program  input  p^.  This  would  save  the 
considerable  efforts  involved  both  in  copying  the  input  component  and  in 
reclaiming  it. 

Altering  m2  (changing  its  value  from  2  to  3)  would  require  an  Assign 
firing  which  has  as  an  input.  That  pointer  can  only  be  obtained  as  the 
output  of  a  Select  firing  which  has  p^  as  an  input.  But  an  Assign  firing 
must  have  a  write  pointer  as  input,  and  a  Select  outputs  only  read 
pointers.  This  dilemma  can  be  resolved  by  Introducing  a  ninth  structure 
operation,  Modify,  differing  from  Select  in  that  it  outputs  write  pointers. 
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The  Modify  operation  permits  a  program  to  avoid  copying  a  node  which 
will  immediately  become  inaccessible;  unfortunately,  it  also  defeats  the 
scheme  for  guaranteeing  determinacy.  This  can  be  rectified  by  a  simple 
extension  of  the  scheme.  Reviewing  its  original  explication  (Section  3.2), 
the  possibilities  for  potential  interference  between  firings  in  different 
blocking  groups  are  set  down  as  the  Potential-Interference  Assumption. 

This  presupposes  that  any  write-class  firing  in  firing  sequence  2  is  in 
B  (Tg(C,n))  for  some  Copy  operator  C,  which  is  no  longer  valid  with  the 

Ob 

introduction  of  the  Modify  operation.  Hence,  a  slightly  different 
Potential-Interference  Assumption  is  needed: 

Given  a  firing  sequence  2  and  two  distinct  blocking  groups  B  (e)  and 

Ufa 

B  (e'),  some  firing  in  one  group  potentially  interferes  with  some 

db 

firing  in  the  other  iff: 

1.  e  *  Tg(d^,n^)  for  some  n^,  where  d^  is  a  Copy  or  Modify  operator, 

2.  e*  ■  Tg(d2,n2>  for  some  nj,  where  d2  is  a  Select  or  Modify,  and 

3.  the  n2  firing  of  d2  outputs  the  same  pointer  as  the 
firing  of  d^. 

The  strategy  adopted  is  to  sequence  all  firings  in  one  group  with  respect 
to  all  firings  in  another  group  if  it  is  assumed  that  some  firing  in  one 
group  potentially  interferes  with  some  firing  in  the  other. 

All  the  firings  in  blocking  group  B^(e2)  are  sequenced  after  all 
firings  in  B  (e.)  by  the  Group  Sequencing  Technique,  consisting  of  two 

mv  A 

rules : 

I.  The  first  tokens  with  tag  e^  appear  before  the  first  tokens  with 
tag  e2« 
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II.  The  first  tokens  with  tag  e^  do  not  appear  while  there  are  tokens 
with  tag  e^  in  the  configuration. 

Rule  II  leads  to  the  Blocking  Discipline:  For  any  pointer  p,  no  token 
whose  value  is  the  tagged  pointer  TP(p .e^)  appears  on  any  arc  if  there  are 
tokens  of  value  TP(p,e^)  on  any  arc.  At  most  one  Copy  firing  outputs  p, 
and  no  other  firing  can  output  p  before  it  does;  therefore,  tokens  never 
need  be  withheld  from  output  arcs  of  a  Copy.  For  any  tag  -  Tg(S,j) 
where  S  is  a  Select  operator,  by  the  Potential-Interference  Assumption, 
the  firings  in  B2(e2)  are  to  Be  sequenced  after  those  in  B^e^)  only  if 
e^  -  Tg(C,n)  for  Copy  or  Modify  operator  C.  For  tag  e^  ■  Tg(M,j)  where 
M  is  a  Modify  operator,  e^  -  Tg(A,n)  where  A  is  either  a  Copy  or  Modify 
operator  or  a  Select  operator.  It  is  argued  in  Section  3.3.1  that  the 
pointer-valued  tokens  output  by  the  nth  firing  of  structure  operator  d  in 
2  need  have  only  one  of  two  tags:  W  if  there  may  be  a  write-class  firing 
in  B  (Tg(d,n))  (l.e.,  if  d  is  a  Copy  or  Modify),  or  R  otherwise. 

Therefore,  Rule  II  is  enforced  as  follows: 

For  any  pointer  p, 

no  tokens  of  value  (p,R)  are  placed  on  output  arcs  of  a  Select 
operator  while  there  are  tokens  of  value  (p,W)  in  the  configuration, 
and 

no  tokens  of  value  (p,W)  are  placed  on  the  output  arcs  of  a  Modify 
operator  while  there  are  tokens  of  value  (p,W)  or  (p,R)  in  the 
configuration. 

Rule  I  is  enforced  by  a  combination  of  the  two  more  fundamental 
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la.  If,  for  1*1,2,  e^  ■  TgCd^n^),  the  first  tokens  with  tag  e^  appear 

before  the  first  tokens  with  tag  e^  iff  the  n^*1  firing  of 
precedes  the  firing  of  d^. 

lb.  The  n^*1  firing  of  d^  always  precedes  the  firing  of  d^. 

Rule  la  Implies  that  the  third  component  of  the  modified  Interpreter  state, 

Q,  should  contain,  for  each  pointer  p,  a  first-in,  first-out  queue  of  actor 
labels,  rather  than  a  pool,  as  the  following  demonstrates:  The  m*"*1  firing 
of  Select  S  and  the  nfc^  firing  of  Modify  M,  in  that  order,  may  attempt  to 
output  tokens  of  value  TP(p,Tg(S,m))  and  TP(p,Tg(M,n))  while  there  are 
still  tokens  of  value  TP(p,Tg(C,j))  for  Copy  operator  C  in  the  configur¬ 
ation.  By  Rule  II,  none  of  the  former  tokens  can  appear  on  output  arcs  of 
S  or  M  until  the  last  token  with  value  TP(p,Tg(C, j))  disappears.  At  that 
time,  by  Rule  la,  the  tokens  of  value  TP(p,Tg(S,m))  must  appear  on  S's 
output  arcs  first,  since  S  fired  before  M.  Tokens  cannot  be  placed  on  M's 
output  arcs  at  this  time,  by  Rule  II  again.  Thus  the  necessity  of 
remembering  the  order  in  which  actor  labels  are  added  to  Q(p) . 

Rule  Ib  applies  to  any  two  firings  of  actors  d^  and  which  output 
the  same  pointer  if  one  of  the  actors  is  a  Copy  or  Modify  and  the  other  Is 
a  Modify  or  Select.  A  Copy  firing  always  precedes  any  other  firing  which 
outputs  the  same  pointer.  If  one  actor  is  a  Modify  and  the  other  is  a 
Modify  or  Select,  there  are  two  cases  to  consider:  the  two  firings  either 
do  or  do  not  have  Identical  pointer  and  selector  inputs.  If  they  do. 

Rule  Ib  becomes:  Given  that  the  firing  of  d^  and  the  firing  of 
d ^  In  some  firing  sequence  have  the  same  pointer  and  selector  inputs,  at 
least  one  operator  is  a  Modify,  and  the  other  is  a  Modify  or  Select,  those 
firings  must  be  sequenced.  Significantly,  an  equally-true  statement  is 
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obtained  by  replacing  "Modify"  in  the  foregoing  with  "Update  or  Delete". 
The  determinacy  scheme  guarantees  the  latter  sequencing,  so  the  problem 
of  enforcing  Rule  lb  in  this  case  is  fundamentally  no  different  than  one 
which  has  already  been  solved.  That  solution  Is  easily  adapted  to  handle 
the  new  Modify  operator  as  follows: 

A.  Modify  (like  Update  and  Delete)  is  a  write-class  operator;  i.e., 
requires  a  write  pointer  input. 

B.  The  Determinacy  Condition  is  extended  to  require  sequencing  of  any 
two  Select  or  Modify  firings  in  the  same  blocking  group  which  may 
have  the  same  selector  inputs,  if  at  least  one  is  a  Modify  firing. 

The  extension  of  the  determinacy  scheme  to  accomodate  the  Modify 
operation,  as  developed  to  this  point,  is  summarized  below: 

1.  Modify  operates  like  Select  except  that  it  requires  a  WTite-pointer 
input  and  produces  a  write-pointer  output,  and  any  tokens  of  value 
(p,W)  are  withheld  from  the  output  arcs  of  a  Modify  so  long  as  there 
are  tokens  of  value  (p,W)  or  (p,R)  in  the  configuration. 

2.  The  third  state  component  Q  consists  of  a  queue  of  actor  labels  for 
each  pointer. 

3.  The  Determinacy  Condition  is  extended  as  just  noted. 

It  is  believed  that  these  changes  will  yield  the  following  guarantee: 

Tor  any  equal  initial  states  S ^  and  S2  and  halted  firing  sequences  and 
Sl  ^2  e^uai®  ^l  ^l*  unie8B  is  a  Modify  dj^  and  a  Modify  or  Select 

d^,  and  an  n^  and  n^,  such  that  the  n^*1  firing  of  d^  and  the  firing 
of  dj  are  not  sequenced  and  in  they  have  the  same  pointer  output  but 
different  pointer  or  selector  inputs.  A  suggestion  for  further  research 
is  to  use  the  techniques  and  results  of  the  thesis  to  prove  this  formally. 
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If  two  unsequenced  Modify  or  Select  firings  can  output  the  same 
pointer  p  to  node  n  given  pointers  to  different  nodes  and  n^,  it  is 
because  there  are  branches  to  n  from  each  of  m^  and  m^.  This  condition 
is  easily  detected,  as  the  structure  reference  count  SRC(n)  will  be 
greater  than  one.  Thus  it  is  possible  to  determine,  at  a  Modify  firing, 
whether  another  Modify  or  Select  firing  with  a  different  pointer  (or 
selector)  input  could  subsequently  output  the  same  pointer.  Rather  than 
try  to  sequence  these  two  firings,  with  their  different  inputs,  the  need 
for  sequencing  can  be  eliminated  altogether,  by  making  the  Modify  operation 
more  sophisticated:  Before  a  Modify  firing  outputs  pointer  p  to  node  n, 
SRC(n)  is  checked.  If  it  is  0  or  1,  the  pointer  is  output  as  Indicated 
above  (i.e.,  it  is  withheld  until  ERC  (p)+ERCw(p)  is  zero).  If  SRC(n)  >  1, 
the  effect  of  the  Modify  firing  becomes  as  if  it  had  been  replaced  with 
the  four  actors  depicted  in  Figure  8.3-la.  That  is,  a  copy  n’  is  made  of 
node  n  and  n'  is  made  the  's '-successor  of  the  node  m  (Figure  8.3-lb); 
then  the  pointer  to  n'  is  output  immediately.  The  component  rooted  at  m 
after  this  alternative  Modify  action  (called  automatic  copying)  equals 
that  before  the  action,  and  the  component  rooted  at  n'  equals  that  rooted 
at  n.  The  only  difference  is  that  every  other  firing  which  outputs  a 
pointer  to  n'  must  follow  this  Modify  firing  which  activated  n' ;  thus 
Rule  lb  is  obeyed.  A  formal  proof  is  needed  of  the  claim:  with  automatic 
copying  by  Modify  operators,  all  programs  are  functional;  furthermore, 
every  program  can  be  translated  into  an  equivalent  one  of  these 
programs,  which  not  only  may  have  more  concurrency,  but  may  activate 


fewer  nodes. 


Two  final  extensions  of  the  determinacy  scheme  are  less  well 
developed.  The  first  is  the  accomodation  of  procedures  [12].  The  major 
problem  introduced  is  that  a  single  blocking  group  may  contain  firings  of 
actors  from  several  different  procedures.  Any  syntactic  test  for  the 
Determinacy  Condition  must  require  only  that  each  individual  procedure  be 
verified  independently;  it  would  be  unworkable  if  each  change  to  a 
procedure  entailed  re-examining  every  procedure  which  it  may  ever  call  or 
which  may  ever  call  it.  The  second  extension  is  the  use  of  structure 
operations  to  obtain  a  conveniently-controlled  non-determinacy.  A  uost 
exciting  prospect  is  to  allow  a  node  n  to  have  an  attribute  (the  shared 
attribute),  which  would  disable  automatic  copying,  so  that  a  Modify  firing 
could  output  a  write  pointer  to  u  even  when  SRC(n)  >  1.  From  the  argument 
given  above,  different  firing  sequences  starting  in  equal  initial  states 
give  rise  to  unequal  final  states  only  if  two  firings  with  different 
pointer  or  selector  inputs  output  pointers  to  the  same  shared  node  in  a 
different  order. 

The  only  developed  suggestion  for  extending  the  entry-execution  model 
is  a  consequence  of  storage  reclamation.  Specifically,  the  finiteness  of 
the  set  of  pointer  values  in  any  physical  implementation  means  that  one 
pointer  may  be  the  output  of  several  Copy  firings  in  a  single  firing 
sequence.  A  correct  implementation  never  allows  a  Copy  firing  to  output  a 
pointer  to  an  accessible  node;  every  Copy  firing  outputs  a  pointer  which 
either  does  not  point  to  any  node  or  points  to  an  inaccessible  node,  whose 
storage  has  presumably  been  reclaimed.  Modeling  such  a  correct  implemen¬ 
tation  requires  two  initial  Bteps: 
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1.  Redefine  the  access  history,  which  Is  more  properly  a  history  of  the 
accesses  to  a  unique  node  than  the  history  of  accesses  using  a  unique 
pointer.  Two  entries  with  value  p  In  a  computation  oo  should  be  in 
the  same  access  history  iff  they  are  not  separated  In  co  by  the 
Initiating  entry  of  a  Copy  execution  with  output  entries  of  value  p. 

2.  Add  a  new  constraint  to  the  definition  of  a  Structure-as-Storage 
model.  This  should  reflect  the  fact  that  If  the  0th  firing  of  Copy 
or  Select  operator  S  in  firing  sequence  Q  outputs  p,  then  there  are 
tokens  of  value  p  in  all  subsequent  states  until  the  last  firing  In 
blocking  group  B^(S,n).  Therefore,  no  Copy  firing  should  output  p 
between  the  n^  firing  of  S  and  the  last  firing  In  B (S,n) . 

These  revisions  must  then  of  course  be  propagated  through  the  proofs  in 
Chapters  5,  6,  and  7. 

8.4  Conclusions 

Those  results  of  the  thesis  which  are  felt  to  be  significant  original 
contributions  are  listed  briefly  below: 

1.  A  state-oriented,  but  non-graphical ,  definition  of  a  complete  set  of 
primitive  structure  operations  (of  which  First  and  Next  are  original) 
(Section  2.2). 

2.  A  definition  of  equality  of  data-flow  interpreter  states  with  heap 
components,  and  the  concomitant  definitions  of  functionality  and 
equivalence  between  two  languages  (Section  2.4). 

3.  The  language  L^,  the  modified  interpreter,  and  a  translation  algor¬ 
ithm  to  take  any  well-behaved  program  into  an  equivalent 
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program  which,  at  least  under  certain  ground  rules,  is  maximally 
concurrent . 

4.  A  new  model  of  concurrent  computation,  which  offers  a  memory less 
(non-state-oriented)  representation  of  the  essential  order-dependent 
input-output  behavior  of  structure  operations.  This  expresses  what 
is  common  among  all  systems  of  concurrent  computation  over  data 
structures,  without  regard  to  their  idiosyncratic  control  and  local- 
memory  structures  (Chapters  4  and  5) . 

5.  A  definition  of  determinacy  and  a  set  of  axioms  which  are  proven 
sufficient  for  determinacy,  all  using  the  entry-execution  model,  and 
hence  all  applicable  to  any  concurrent  computations  over  data 
structures  (Chapter  6) . 

The  proposed  extensions  should  prove  even  more  significant.  The 
Modify  operator  can  eliminate  most  of  the  need  for  the  Copy  operator,  by 
automatically  copying  a  node  only  when  necessary  for  determinacy.  The 
shared  attribute  for  a  node,  which  defeats  automatic  copying,  should 
provide  for  natural  solutions  to  non-determinate  problems,  such  as  the 
airline  reservation  system  [5],  in  which  the  integrity  of  the  data  base  is 
readily  assured. 
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Appendix  A 

Proof  of  Theorem  2.4-1 

Theorem  2.4-1  The  "Match"  relation  is  symmetric  and  transitive. 

Proof: 

Key  definitions:  Def.  2.2-2  -  successor,  reachability,  path 
Def.  2.4-1  -  equal  components  in  a  heap 
Def.  2.4-2  -  Match 

Prove  symmetry  first.  Let  S ^  ■  (F^,U^)  and  $2  “  (Tj.Uj)  be  any  two 
interpreter  states,  where  •  (N^.n^.SM^)  and  02  ■  (N2,n2,SM2).  Let 
and  b2  each  be  an  arc  from  the  programs  of  which  and  T2  respectively 
are  configurations.  Then  for  any  one-to-one  mapping  I:  N,  -*•  K,,,  prove 
that  Match((b2,52),  I,  (b^))  -  MatchUb^) ,  I-1,  (b2,S2)). 

(1)  Since  I  is  one-to-one,  l”*:  N2  ■>  is  also  one-to-one. 

(2)  Let  m^fN^  and  >2^2  an^  190  no<*®8  *or  which  U2<m2  ■  U^.m^.  Then 

m2  -  I(m^),  and  for  each  node  n^  equal  to  or  reachable  from  m^  in 
Dj,  SM2(l(ni))  -  KSM^)). 

Now  prove  the  following  preliminary  result: 

A:  Vn€N^,  n  la  reachable  from  m^  in  »I(n)  is  reachable  from  m2  in  U2 

and  Vn€N2,  n  Is  reachable  from  m2  •  1  *(n)  is  reachable  from  m^ 

Proof  of  A  is  by  induction  on  the  length  k  of  the  shortest  path  from  m^ 
to  n,  or  from  m2  to  n. 

Basis:  k  -  1. 

(3)  SMj^mj)  -  {v,  (s1,r1),...,(8J,rj)>  iff 

SM2(I(m1))  -  {v,  (s1,I(r1)),...,(sJ,I(rj))} 


(2) 
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(4)  Vn€N^,  n  Is  reachable  from  by  a  shortest  path  of  length  l»nls 
a  successor  of  m^  =»  31:  r^  ■  n  [(3)]  »  I(n)  ■  Kr^)  Is  a  successor 
of  l(2)+(3)]  =*  I(n)  is  reachable  from 
Similarly,  VnfN^,  n  Is  reachable  from  by  a  shortest  path  of  length  1 
=»  31:  iCr^)  ■  n  [(3)]  =»  I  *(n)  ■  r^  is  reachable  from  m^  f(2)+(3)]. 
Induction  step:  Assume  that  A  is  true  for  any  node  reachable  from 
(or  m^)  by  a  shortest  path  of  length  k  >  0. 

Vn€N^,  n  is  reachable  from  by  a  shortest  path  of  length  fc+1  =» 
3n'tN^:  n  is  a  successor  of  n'  and  n*  is  reachable  from  m^  by  a  shortest 
path  of  length  k.  n'  is  reachable  from  m^  by  a  shortest  path  of  length 
k  =»  I(n')  is  reachable  from  m^  [lnd.  hyp.],  n  is  a  successor  of  n'  » 

I(n)  is  a  successor  of  I(n')  t(4)].  Therefore,  n^  is  reachable  from 
by  a  shortest  path  of  length  k+1  ■*  I(n')  is  reachable  from  m 2  and  I(n) 
is  a  successor  of  I(n')  •»  I(n)  is  reachable  from  m^.  As  in  the  basis 
for  A,  a  symmetric  argument  will  show  that  VnCM^,  n  is  reachable  from  m2 
by  a  shortest  path  of  length  k+1  «•  l”*(n)  is  reachable  from  m^.  Thus 
A  is  proven  by  induction. 

(8)  Let  n2  be  m2  or  any  node  reachable  from  m2  in  Then  I  ^(ttj)  is 

reachable  from  m^  in  A 

SM2(I(r1(n2)))  -  iCSMjtt"1^)))  1(2)3;  i.e.,  SM2(n2)  -  KSM^l"1^))) 
1(1)1.  *o  SM1(l'‘1(n2))  -  {v,  (s1,r1),...,(Sj,rj)>  iff 

SM2(n2)  -  {v,  (s1,I(r1)),...,(Sj.I(rj))>.  Furthermore, 

SM1(l"1(n2))  -  {v,  (e^r^ . (8j,tj)>  iff 

SM^I  1  (n2) )  -  {v,  (s1,l"1(I(r1))),...,(8j,l"’1(I(rj)))  >  i(l)].  Therefore 

(9)  SM^f1^))  -  r1(SM2(n2)) 

Since  -  r1^)  [  (l)+(2)  ] , 
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(10)  02j^  i  01.«1  -D1.«1I-  U2.«2  (2)+(8)+(9) 

How,  M*tch((b2,52),  1,  (b1,51)) 

-  b^  has  no  token  in  and  b2  has  no  token  in  r2>  or 

b^  has  a  non-pointer  value  in  and  b2  has  the  same  value  in  r2,  or 

b^  has  a  pointer  value  p^,  b^  has  a  pointer  value  p2,  and 

u2.n2(p2)  i  Oj.rijCpj) 

—  b,5  has  no  token  in  r2  and  b^  has  no  token  in  r^,  or 

b2  has  a  non-pointer  value  in  r2  and  b^  has  the  sane  value  in  r^,  or 

b2  has  a  pointer  value  p2,  has  a  pointer  value  p^,  and 

Ul,rTl(pl)I"  U2*n2(p2)  1(10)1 
-MatcMO^.sp,  i”1,  (b2,52)) 

Transitivity:  Let  S±  “  (r^.TT^) ,  for  i-1,2,3,  be  any  three  states,  where 
-  (N1,ni,SM±) .  Let  b^  be  any  arc  from  the  prograa  of  which  is  a 
configuration.  Then  prove  that  for  any  two  one-to-one  mappings 
Ij!  N2  -*■  N2  and  IjJ  N2  -*•  Nj,  Match ( 0>2 ,52> ,  Ij.  and 

Match((b3,S3),  I2,  (b2,S2))  •  Match((b3,53) ,  (bj.Sj)),  where 

I2*I3  is  the  composition  of  the  mappings  1^  and  • 

(11)  Let  n2^2»  and  m3€N3  be  any  three  nodes  for  which 

*1  *2 

U2.m2  -  U^.m^  and  U3.m3  -  U2.m2.  Then  m2  -  I^Sj),  -  I2(m2),  for  each 
node  n^  equal  to  or  reachable  from  m^,  SMjd^fn^))  »  I^(SM^(n3>) ,  and  for 
any  node  n2  equal  to  or  reachable  from  m2,  SM^I^n^)  -  I2(SM2(n2)). 

(12)  m3  -  I2*I1(«1)  (11) 

(13)  Let  n^  be  any  node  equal  to  or  reachable  from  m^.  Then  1^ (n^) 

is  equal  to  or  reachable  from  I^On^)  “  «2  (11)+A 

SMl(nl)  m  •  •  •  •  1  j  »*j) }  iff 

SM2(I1(n1))  -  {v,  (s1,l1(r1)),...,(sJ,I1(rj))}  [(H)]  iff 
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SM3(I2(i1( ttj)))  -  {v,  (81,I2(I1(r1))),...,(sj.I2(I1(rJ)))}  [(13)+(11)]. 

!»«• *  SM3(I2*I1(n1))  •  I2*I1(SH1(n1)) .  Therefore, 

(14)  U3.m3  I2iIl  ui.m1  (12)+(13) 

Hatch((b2,52),  lv  (b1,51)  • 

[b^  has  no  token  in  F2  =»  b2  has  no  token  in  r2]  A 
[b^  has  a  non-pointer  value  =»  b2  has  the  same  value]  A 

[b^  has  pointer  value  p^  =»  b2  has  a  pointer  value  p2  such  that 

U2*n2(p2)  ^  ^1*n1(P1)  1 » 

and  Match ((b^),  l2>  (b^))  =. 

[b2  has  no  token  in  T2  =»  b3  has  no  token  in  A 
[b2  has  a  non-pointer  value  =>  h.  has  the  same  value]  A 

[b2  has  pointer  value  p2  •»  b3  has  a  pointer  value  p3  such  that 

U3 •n3(p3)  -u2.n2(P2)], 

so  Match ((b2,52),  lv  (b1,S'1))  and  Match ( (b3 ,S3> ,  I2>  (b2,S2»  - 
[b3  has  no  token  in  «*  b3  has  no  token  in  1^]  A 
[b3  has  a  non-pointer  value  •  b3  has  the  same  value]  a 

[b^  has  pointer  value  p^  •»  b3  has  a  pointer  value  p3  such  that 

°3*n3(P3)l2"Ilui-ni<Pl>J  KWl 

-  Hatch (<b3,S3),  l2-Iv  (bj.5^) 


A 
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Appendlx  B 

Proof  of  Theorem  3.4-2 

Theorem  3.4-2  Let  P  be  any  well-behaved  L^y  program,  and  let  P'  be  its 
translation  via  Algorithm  3.4-1.  Let  S  be  any  initial  standard  state  for 
P,  and  let  S'  be  any  initial  modified  state  for  P'  which  simulates  S. 

Then  for  any  halted  firing  sequence  2  starting  in  S : 

1.  R(S)  is  a  halted  firing  sequence  starting  in  5',  and 

2.  S'’ R(2)  simulates  S’Q. 

Proof: 

Key  definitions:  Def.  2.4-1  -  equal  components;  Def.  3.4-1  -  Natch; 

Defs.  2. 1-5+2. 2-5  -  standard  interpreter; 

Defs.  3. 3-7+3. 3-8+3. 3-9  -  modified  Interpreter 
Proof  is  by  Induction  on  the  lengths  of  the  prefixes  of  2.  For  any 
prefix  e,  let  0*  ■  R(0),  and  let  the  state  S’*©1  be  (r’.U'.Q').  Let  A 
and  T  be  the  maps  generated  by  Algorithm  3.4-1  in  translating  P  into  P'. 
Then  the  induction  hypotheses  are: 

V:  R(0)  is  a  firing  sequence  starting  in  S’ . 

W:  There  is  no  write  pointer  on  any  arc  in  T’. 

X:  Q'  is  empty. 

Y:  For  any  arc  b'  which  is  a  number-1  input  arc  of  an  Assign,  Update, 
or  Delete,  or  of  a  sequencer  in  P',  there  is  no  token  on  b'  in  T*. 
Z:  5’*6'  simulates  £• 0. 

Basis:  | 0 |  ■  0.  Then  0'  ■  0  -  X  [Alg.  3.4-2],  so 
(1)  0'  is  a  firing  sequence  starting  in  S',  S'  •©'  -  S',  and  S-Q  ■  5 
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Def.  2.3-1 

There  are  no  write  pointers  in  an  Initial  modified  state,  and  the  pool 
component  therein  is  empty  [Def.  3.3-5].  The  only  arcs  in  P'  which  have 
tokens  on  them  In  an  initial  dtate  are  program  input  arcs  and  control  arcs 
[(l)-fDefs.  3.3-54-2.2-6],  and  none  of  those  arcs  is  a  number-1  input  arc 
of  an  Assign,  Update,  Delete,  or  sequencer.  Since  S'  simulates  S  by 
hypothesis.  S’ *0'  simulates  S‘6  [(1)].  Hence,  V,  W,  X,  Y,  and  Z  for  6. 
Induction  step:  Assume  that  the  five  Induction  hypotheses  are  true  for 
some  proper  prefix  6  of  Q.  Consider  prefix  6<p  of  $2,  in  which  the  last 
firing  ip  is  of  an  actor  labelled  d  in  P.  Use  the  following  notation: 
(1^,^)  is  the  state  5*0,  where  U^  ■  (N^JT^.SMj) 

(r2,U2)  is  the  state  S*0< p,  where  U2  -  (l»2,n2,SM2) 

<r{,U’,Qp  is  the  state  S‘*0\  where  U'  -  (N',n',SMj) 

(r^.U^.Q')  is  the  state  S’-RCM*  where  U£  -  (N^,n^,SMp 

(2)  d  is  enabled  in  Def.  2.3-1 

(3)  There  is  a  mapping  I:  -*■  under  which,  for  any  arc  b  in  P, 

MatchUAO^.S'-e'),  1,  (b,5'0))  ind.  hyp.  Z+Def.  2.4-7 

(4)  For  any  arc  b  in  P,  there  is  a  token  on  b  in  iff  there  is  a  token 

on  A(b)  in  r2  (3) 

There  are  two  cases  to  consider:  d  either  is  or  is  not  a  Const,  Append, 
or  Remove. 

Case  I:  d  is  not  a  Const,  Append,  or  Remove. 

(5)  T(d)  is  the  label  of  a  single  actor  in  P*,  having  the  same  type  as 

d,  and  for  each  input  and  output  arc  b  of  d  in  P,  A(b)  is  the  same 
input  or  output  arc  of  T(d)  in  P' 

T(d)  is  enabled  in  unless  it  is  a  Select  S  and  there  is  a  pointer  p 
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such  that  SfQ^(p)  [(2)+(4)+(5)+Def .  3.3-6],  so 

(6)  T(d)  is  enabled  in  ind.  hyp.  X 

Since  P  is  an  program,  d  is  not  a  Copy,  Assign,  Update,  or  Delete 
[Def .  2.2-3],  so 

(7)  T(d)  is  not  a  Copy,  Assign,  Update,  or  Delete  (5) 

(8)  6s<p',  where  <p'  is  the  firing  which  is  the  label  T(d),  is  a  firing 

sequence  starting  in  S'  ind.  hyp.  V+(6)+(7)+Def .  2.3-1 

Since  0V  "  R(6V  is  R(6<p)  [<8)+<7)+Alg.  3.4-2],  V  for6«p[(8)]. 

Let  (r,U",Q")  be  the  state  Fire(S" *0’ ,T(d)) ,  and  let  be 

Standardp((Strlp(r^,T(d)) ,U^) ,T(d)) .  Then  there  is  a  write  pointer  on 

an  arc  b  in  Tj  B  there  is  a  write  pointer  on  b  in  T"  =*  since  T(d)  is 

not  a  Copy  [(7)],  there  is  a  write  pointer  on  b  in  r'  ■»  there  is  a  write 

8 

pointer  on  b  in  r|,  unless  b  is  an  output  arc  of  pi  actor  T(d),  in  which 

case  there  is  a  write  pointer  on  an  input  arc  of  T(d)  in  r|.  Therefore, 

(9)  W  for  0q>,  and  there  is  no  write  pointer  on  b  in  T"  ind.  hyp.  W 

T(d)  is  not  a  Select  with  a  pointer  on  any  output  arc  in  r|  «* 

r"  -  and  Q"  is  empty  [(7)+ind.  hyp.  Xj  »  r£  -  T"  -  ^  and  is  empty. 
T(d)  is  a  Select  with  pointer  p  on  its  output  arcs  in  r'  =»  r"  is  r' 
with  all  those  output  tokens  removed,  and  Q"  is  empty  except  that  Q"(p)  is 
[T(d) }  [ind.  hyp.  X]  »  Ti  is  T'  with  tokens  on  the  output  arcs  of  T(d) 
whose  value  is  (p,R),  and  is  empty  [(9)].  Therefore, 

(10)  X  for  0<p,  and  rl  equals  r'  with  "R"  tags  in  each  pointer-valued 
token  on  an  output  arc  of  T(d) 

For  any  arc  b  in  P',  there  is  a  token  on  b  in  but  not  in  F|  only 
if  b  is  an  output  arc  of  T(d) .  Every  number-1  input  arc  of  an  Assign, 


Update,  Delete,  or  sequencer  is  an  output  arc  of  a  Copy,  Assign,  Update, 
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or  Delete.  Hence,  Y  for  @<p  [(10)+(7)+ind.  hyp.  Y]. 

*  Standardu((Strlp(r|,T(d))  ,up,T(d))  ,  so 

(11)  U2  -  Ux  and  (8)+(7) 

M 

(12)  For  every  node  m  in  N2  ■  N^,  U2.m  ■  U^.m,  and  for  every  node  m' 

In  *  Nj,  U^.m'  ■  U|.m' ,  where  M  is  the  identity  mapping  (11) 
Notation:  For  any  two  configurations  T  and  r'»  any  two  arcs  b  and  b'  in 
the  programs  of  which  r  and  F '  are  configurations,  and  any  value  v£ V, 
abbreviate  "there  is  a  token  of  value  v  on  b  in  F  iff  there  is  a  token 
of  value  v  on  b*  in  T'"  by  "TV(b,r)  ■  TV(b',r')  ■  v". 

(13)  For  every  arc  b  in  P,  b  is  not  an  input  or  output  arc  of  d  =» 

TV(b,r2)  *  TV(b,r^)  a  A(b)  is  not  an  input  or  output  arc  of  T(d) 
[(5)]  -TV(A(b),r£)  -  TVCA(b).r’)  (10) 

(14)  d  is  a  gate  and  c  is  its  control  input  arc  =»  T(d)  is  the  same  type 

of  gate,  and  A(c)  is  its  control  input  arc  [(5)]  =»  T(d)  has  the 
same  control  input  in  Fj^  as  d  has  in  (3) 

For  any  arc  b  in  P,  b  is  an  input  arc  of  d  »  there  is  a  token  on  b  in  T2 
iff  there  is  a  token  on  A(b)  in  hence  in  rp  and  if  so, 

TV(b,r2)  =*  TVft.rp  and  TV(A(b),rp  -  TV(A(b),rp  t  (8)+(5)+(14)+(10)  ] . 
Thus, 

(15)  For  any  arc  b  in  P,  b  is  not  an  output  arc  of  d  =»  there  is  a  token 

on  b  in  T2  iff  there  is  a  token  on  A(b)  in  rp  and  if  so, 

TV(b,r2)  -  TVOsrp  and  TV(A(b),r’)  -  TV(A(b),rp  [(13)]  =»  there 
is  a  token  on  b  in  F2  iff  there  is  a  token  on  A(b)  in  F2,  and  if 
so,  Hatch((b ,S*8<p) ,  M,  (b,£”0))  and  Match((A(b)  ,S'  *0V) ,  M, 
(AOO.S’-e'))  [(12)]  •  Match((A(b),5'-6V),  I,  (b,5*0(p)) 


(3)+Thm.  2.4-1 
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For  the  output  arcs  of  d,  there  are  three  subcases  to  consider. 

Case  la:  d  is  a  pi  actor.  Then  there  are  tokens  on  all  output  arcs  of  d  In 
T-  iff  there  are  tokens  on  all  output  arcs  of  T(d)  in  r* ,  hence  in  T', 

S  4 

and  if  there  are  such  tokens,  then  there  is  an  arc  a  in  P  such  that,  for 
any  output  arc  b  of  d,  TV(b,r2)  ■  TV(a,T^)  and  TV(A(b),r2)  *  TV(A(a),r’) 

[ (8)+(5)+(14) ] .  Hence,  Match((b,5’0<p) ,  M,  (a,S*9))  and 
Match((A(b),S'*9V),  M,  (A(a) ,£' -6'))  [(12)],  so 

(16)  Match((A(b),S'*6V),  I.  (b,5’0<p))  (3)+Thm.  2.4-1 

Case  lb:  d  is  neither  a  pi  nor  a  structure  operator 

(17)  For  each  input  arc  a  of  d  in  P,  there  is  a  non-pointer  value  on  a 

in  rr  and  there  is  a  non-pointer  value  on  each  output  arc  of  d 
in  r2 

By  (3),  then,  TV(A(a)  ,T|)  ■  TVte.r^).  For  each  output  arc  b  of  d,  there 

is  a  token  on  b  in  r_  and  one  on  A(b)  in  T ' ,  and  the  value  of  the  token 

2  s 

on  A(b)  in  T*  depends  on  just  the  tokens  on  T(d)'s  input  arcs  in  T' ,  in 

8  X 

exactly  the  same  way  that  the  value  of  the  token  on  b  in  depends  just 
on  the  values  of  the  tokens  on  d's  input  arcs  in  [(8)+(5)].  Therefore, 
TV(A(b),rp  -  TV(b,r2)  [(10)],  so 

(18)  Match((A(b),S'-eV),  I,  Cb.S'Sip)) 

Case  Ic:  d  is  a  structure  operator 

(19)  d  is  a  Fetch,  First,  Next,  or  Select  Def.  2.2-3 

(20)  If  d  is  a  Next  or  Select,  then  it  has  a  selector  input  arc  a,  T(d) 

has  a  selector  input  arc  A(a),  and  TV(a,T^)  ■  TV(A(a),rj)  (5)+(3) 

(21)  Let  p  be  the  value  on  d’s  pointer  input  arc  in  and  let  m  «  n^(p) . 

Then  there  is  a  token  with  pointer  value  p',  (p',R),  or  (p* ,W)  on 
the  pointer  input  arc  of  T(d)  in  Tj,  and,  letting  m*  -  n^(p'). 


(5)+(3) 


(22)  SM^(m)  •  [v,  (Sj^.nj^),  ...,(Sj,nj)>  iff 

SM|(m')  -  [v,  (s1,I(n1)),...,(s^,I(nj))} 

(23)  Let  b  be  any  output  arc  of  d.  Then  A(b)  is  the  sane  output  arc  of 

T(d)  (5) 

d  is  a  Fetch  =>  TV(b,r2)  depends  only  on  the  value  in  SM^On),  and 
T(d)  is  a  Fetch,  so  TV(A(b) ,r^)  depends  in  the  same  way  on  the  value  in 
SM|(m')  [  (5)+(21)+(23)  ]  =>TV(A(b),rp  -  TV(b,r2>  [(22)+(10)]. 

d  is  a  First  or  Next  or  d  is  a  Select  and  b  is  its  control  output  arc 
=>  TV(b,r2)  depends  only  on  the  set  of  selectors  in  SM^(m)  and  on  the 
value  of  the  token  on  d's  selector  input  arc  a,  if  any,  and  since  T(d) 
is  the  same  type  of  actor,  the  value  on  A(b)  in  F^  depends  in  the  same 
way  on  the  set  of  selectors  in  SM^(m')  and  on  the  value  of  the  token  on 
T(d)'8  selector  input  arc  A(a),  if  any  [ (5)+(21)+(23) ]  =>  TV(b,r2)  * 
TV(A(b),r2)  [(22)+(20)+(10)] .  From  these  two  paragraphs, 

(24)  d  is  a  Fetch,  First,  or  Next,  or  b  is  a  control  output  arc  of  a 

Select  d  =»  the  value  of  the  token  on  b  in  T2  is  not  a  pointer, 

and  TV(b,r2)  -  TV(A(b),r’)  -  Match((A(b)  ,s'  *0V>  »  0»,5*  9<p)) 

Otherwise,  d  is  a  Select  and  b  is  a  data  output  arc  of  it.  Let  s 

be  the  value  of  the  token  on  d's  selector  input  arc  in  r^.  Then  T(d)  is 

a  Select  with  a  selector  input  of  s  [ (19)+(24)+(5)+(20) 1 .  3i:  s^  *  s 

=»  the  value  of  the  token  on  b  in  T-  and  of  that  on  A(b)  in  r'  are  both 

i  s 

undef  [(22)].  3i:  ■  s  =»  the  value  of  the  token  on  b  in  r2  is  q, 

where  n2(q)  *  n^,  and  the  value  of  the  token  on  A(b)  in  is  q',  where 
n|(q')  *  I(n^)  [(22)]  =»  the  value  of  the  token  on  A(b)  in  r2  is  (q',R) 
[(10)].  In  this  latter  case,  n ^ Cq * )  ■  I(n^)  -  I(n2(q))  [(H)],  and  for 
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any  node  n,  n  ia  equal  to  or  reachable  from  "  n^Cq)  in  U^  *»  n  is 
reachable  from  m  In  U^,  hence  in  [(22)+(ll)+Def .  2.2-2]  *»  SM2(I(n))  ■ 
SM<(I(n>)  -  KSMjCn))  -  I(SM2(n))  [(11)+(21)].  By  Def.  2.4-1,  then, 
U^.n^(q')  -  U2.n2(q).  Therefore,  in  either  case, 

(25)  d  is  a  Select  and  b  is  a  data  output  arc  »• 

Match ((A(b), S' -0V),  1*  (b ,S-e<p)). 

Hence,  Z  for  0<p  [  (15)+(16)+(18)+(19)+(24)+(25)+Def .  2.4-7] 

Case  II:  d  is  a  Const,  Append,  or  Remove 

(26)  Let  T(d)  be  the  triple  (C,U,G).  Then  in  P' ,  C  labels  a  Copy,  G 

a  sequencer,  and  U  either  an  Assign,  Update,  or  Delete 

(27)  There  are  tokens  on  all  of  d's  input  arcs  and  on  none  of  its  output 

arcs  in  r^,  so  (2)+Def.  2.1-4 

(28)  There  are  tokens  on  C's  input  arc  and  on  U’s  number-2  (and  number-3) 

input  arcs  in  1*^  (4) 

For  every  output  arc  b  of  C,  D,  or  6  in  P',  either  b  is  an  input  arc  of 
an  Assign,  Update,  or  Delete,  or  a  sequencer,  or  there  is  an  output  arc 
a  of  d  in  P  such  that  b  -  A(a),  so 

(29)  No  output  arc  of  C,  U,  or  G  holds  a  token  in  (27)+Def.  2.1-4 

C  is  enabled  in  rj  [(28)+(29)],  so 

(30)  6'<pc,  where  <pc  ■  (C,(p,n)),  pfdom  nj  and  n<N|,  is  a  firing  sequence 

starting  in  S'  ind.  hyp.  W+Def.  2.3-1 

There  is  a  token  on  U's  number-1  input  arc  in  so  U  is  enabled 

v 

[ (28)+(29)+(30) ] ,  and  so 

(31)  where  ^  ■  U,  is  a  firing  sequence  starting  in  S'  (30) 

There  are  tokens  on  both  of  G's  input  arcs  in  5' ‘d'c^cp^,  so  G  is  enabled 

[ (29)+(3Q)+(31) ] ,  and  so 
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(32)  e,tPc<P|j<PG»  where  <pG  -  G,  Is  a  firing  sequence  starting  in  5'  (31) 

(33)  R (dcp)  *  R(0)<pG<py<pG  is  a  firing  sequence  starting  in  S' 

(30)+(31)+(32)+Alg.  3.4-2 

The  only  number-1  output  arc  of  C  is  an  input  arc  of  U,  so  the 
only  write  pointer  output  by  any  of  the  firings  <pc>  <py,  or  tpG  is  input 
by  cpyj  i.e.,  W  f or  0cp  [  (33)+ind .  hyp.  W] . 

Since  none  of  q>c,  or  <pG  is  a  Select  firing,  X  for  0cp  [(33)+(26)+ 
ind.  hyp.  X]. 

For  every  number-1  input  arc  of  an  Assign,  Update,  or  Delete,  or 

sequencer  in  P'  on  which  a  token  is  placed  by  one  of  <p  ,  <p  ,  or  q>  in 

C  ~U  G 

R(9<p),  that  token  is  removed  by  a  subsequent  one  of  those  firingB.  Hence 
Y  for  0<p  [ind.  hyp.  Y], 

(34)  Let  a  be  the  number-1  input  arc  of  d.  Let  p^  (pp  be  the  value  of 

the  token  on  arc  a  (A(a))  in  (rp.  Let  «  n^pp  and 

mi  "  npPp*  Then  *  Ul,ml  (3) 

(35)  SMjGttj)  -  {v,  (s1,n1),...,(Sj,nJ)}  iff 

SM|(m')  -  {v,  (s1,I(n1)),...,(sj,I(nJ))}  (34) 

(36)  Let  p^  be  the  value  of  the  token  on  C's  output  arcs  in  * 0 and 

let  m^  *  n^pp.  Then  p^  was  output  by  <pc,  and  letting  the  heap  in 
S’-0'<pc  be  (N’.npSMp,  SK’Cmp  -  SM’(m')  (34)+(30) 

(37)  p^  is  the  number-1  input  to  and  the  transmitted  input  of  <pG 

(36)+(31)+(32) 

(38)  Let  P2  be  the  value  of  the  token  on  d's  data  output  arcs  in  Tj* 

and  let  m2  *  H2^P2^  *  D®**-11®  I+  to  he  IUKu^.mp}.  Then 

SM^(mp  -  {v,  (s1,I+(n1)),...,(sj,I+(nj))}.  (36)+(35) 

(39)  For  any  control  output  arc  b  of  d,  A(b)  is  a  control  output  arc  of  U 
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The  value  of  the  token  on  b  In  5'0cp  depends  on  the  value  and  set  of 
selectors  In  SM^(n^)  [(34)3,  and  the  value  of  the  token  on  A(b)  in 
S’  hence  in  S'  •0,<P£<Pu<Pq»  depends  in  the  sane  way  on 

SM^(n'(p’))  -  SM'(mp  [ (26)+(39)+(37) ] .  Therefore, 

(40)  For  every  control  output  arc  b  of  d,  TV(b,r2)  -  TV(A(b) ,T2) (35)+(38) 
Every  output  arc  of  G  holds  a  token  of  value  p2  in  [(37)+ 

Def.  3.2-2].  Every  output  arc  of  C  which  is  not  an  input  arc  of  0  or  G 
holds  a  token  of  value  in  r2  [(36)+(33)].  For  every  data  output  arc 
b  of  d,  A(b)  is  either  an  output  arc  of  G  or  an  output  arc  of  C  which 
is  not  an  input  arc  of  U  or  G  [(26)].  Therefore, 


(41)  b  holds  a  token  of  value  p2  in  A(b)  holds  a  token  of  value  p£ 

in  T*.  and  I^(p’)  -  I+CI2Cp2))  (38) 

(42)  nx  c  n2  and  Vn€»2,  n*n2  *»  SM2(n)  -  SM^n)  (38) 

(43)  The  only  firing  among  <pc,  <py,  and  <pG  which  changes  SM  is  ip^,  so 

17^  c  ri£,  and  Vn€N£,  n#n*  =»  SM£(n)  -  SM^(n)  (37)+(36) 

(44)  SM2(m2)  is  created  from  SM^(m^)  by  the  firing  ip  of  d,  and  SM2(a2) 

is  created  from  SM^(m2)  by  the  firing  <pp  of  U  (38)+(37)+(36) 

Letting  a2  (a^)  be  the  nusdier-2  (number-3)  input  arc  of  d,  A(a2)  (A(a^)) 
is  the  number-2  (nuaber-3)  input  arc  of  U  [(26)],  so 


(45)  <p  and  <py  have  equal  number-2  inputs,  and  for  their  nuaber-3  inputs, 

p3  and  p^,  u'.n’(p^)  ~  u1.n1(p3)  (3) 

(46)  d  is  a  Const  =»  SM2(m2)  »  [v1,  (is^,n^) . (s^n^)},  where  v*  is 

(p^s  number-2  input  [(44)]  A  cp^  is  an  Assign  firing  with  v'  as  its 
number-2  input  [  (26)+(A5)  ]■»... 

SH}(mp  -  (v',  (s1,I+(np),...,(Sj,I+(nj))>  [(44)] 


■  «**<=  r* 
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(47)  d  Is  a  Remove  •  SM2 (n^)  -  SH^(m^)-{(s^,n^) ),  where  is  <p's 

number-2  input  [(44)]  a  <j>y  is  a  Delete  firing  with  s^  as  its 
number-2  input  [(26)+(45)]  »  SM^m’)  -  SM^(m£)  -  {(si,I+(ni)) } 

(38)+(44) 

(48)  d  is  an  Append  =»  SM2(m2)  ■  J‘M]/m3)U{(s,n3(p3))  },  where  s  (p^)  is 

<p's  number-2  (number-3)  input  [(44)]  A  U  is  an  Update  with  nunber-2 
input  s  and  number-3  input  where  U|.nj(pj)  ■  U^.n^(p^)  [(26)+ 
(45)]  -SM'(m')  -  SM’(m')U{Cs,nj(p^))}[(42)+(43)+(44)]  - 
SM^(m’)  -  SM’(rapU[(s,I+(n2(p3)))>  [(38)] 

(49)  SM’(m')  -  I+(SM2(m2))  (35)+(38)+(46)+(47)+(48) 

(50)  Let  b  be  any  arc  of  P.  b  is  an  input  arc  of  d  =»  b  is  empty  in  T2 

A  A(b)  is  an  input  arc  of  C  or  U  in  P*  [(26)]  »  A(b)  is  empty  in 
[(33)] 

(51)  b  has  a  token  in  ?2  end  is  not  an  output  arc  of  d  =■ 

TV(b,T2)  ■  TVOj.I^)  a  A(b)  is  not  an  output  arc  of  C,  U,  or  G 
[(26)]  -  TV(A(b),r’)  -  TV(A(b),rp  [(33)] 
b  has  a  token  of  non-pointer  value  in  =»  TV  (b ,  )  ■  TV(A(b),Ij)  [(3)], 

so 

(52)  b  has  a  token  of  non-pointer  value  in  T2  =»  TV(b,T2)  “  TV(A(b),r2) 

(40)+(5l) 

(53)  Let  b  be  any  arc  which  holds  a  pointer  in  r2*  end  let  p  be  that 

pointer,  b  is  not  an  output  arc  of  d  =»  b  holds  a  token  of  value 
p  in  A(b)  holds  a  token  of  value  p'  in  rj  and  r2»  and 
U’.nj(p’)  -  t^JI^p)  -n’(p’)  -  l+0l2(p))  (51)+(3)+(38)+(42)+(43) 

(54)  b  holds  a  token  of  value  p  in  r2,  A(b)  holds  a  token  of  value  p  * 

in  T'2,  and  TT^Cp* )  *  I+CTI2(p)) 


(41)+(53) 
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(55)  Let  n  be  any  node  equal  to  or  reachable  from  n^(p).  n  •  - 

SM£(I+(n))  -  I+(SH2(n))  (49)+(38) 

m2  Is  not  In  H^,  so  for  any  nQ^,  there  is  no  s  such  that  (s,m2)  Is  In 
SMj(n)  [(38)+Thm.  2.2-1];  i.e.,  a2  is  not  reachable  from  any  node  in 
that  is,  every  path  containing  m2  in  starts  at  a>2  [Def.  2.2-2].  Thus, 

(56)  Every  path  in  U2  not  starting  at  m2  is  a  path  in  (42)+Def.  2.2-2 

(57)  n*m2  and  b  is  not  an  output  arc  of  d  *»  p#p2  A  O^.n^p')  »  ^1‘^j/p) 

=»  n  is  equal  to  or  reachable  from  n2(p)  in  U2>  hence  is  equal 
to  or  reachable  from  n2(p)  in  0^  ■*  SM|(I(n))  ■  ^SM^n)) 

(53)+(38)+(56) 

(58)  n#m2  and  b  is  an  output  arc  of  d  =»  p  -  p2  =»  n  is  reachable  from 

m2  *  ^2^P2^  in  ®2  <•  n  is  reachable  from  m^  •  n^(p^)  or  possibly  n 
equals  or  is  reachable  from  n2(p^)  in  l?2 

(38)+(46)+(47)+(48)+Def .  2.2-2 

n*m2  -  SM'(I+(n))  -  I+(SM2(n))  [(57)+(58)+(43)+(38)+(42)  ] ,  so  for 
any  node  n  equal  to  or  reachable  from  n2(p)  in  U2> 

SM*(I+(n))  -  I+(SM2(n))  1(55)].  Therefore,  U^n’(p')  -  U2.n2(p)  [(54)], 
and  so  for  any  arc  b  in  P,  Match ((A(b)  ,5'  *R(9<p)) ,  I+,  (b,5*0ip)) 

[ (50)+(52)+(53)+(54) ] .  Hence,  Z  for  &p  [Def.  2.4-7]. 

Thus  it  is  proven  inductively  that 

(59)  S'  ■  R(8)  is  a  firing  sequence  starting  in  5', 

(60)  there  is  no  token  on  any  number-1  input  arc  of  an  Assign,  Update, 

Delete,  or  sequencer  in  £'*8',  and 

(61)  5'* 8'  simulates  5*8. 

(62)  Ho  actor  is  enabled  in  5*8  Def.  2.3-1 


S'  Is  not  halted  **  there  is  some  actor  d*  which  Is  enabled  In  S' *2' 
[Def.  2.3-1]  =*  [d*  Is  not  a  Copy,  Update,  Delete,  or  sequencer  *  there 
Is  an  actor  labelled  d  In  P  such  that  T(d)  ■  d'  **  d  Is  enabled  [(5)+(3)+ 
(4)+Def.  2.1-4]]  »  d'  Is  a  Copy,  Assign,  Update,  Delete  or  sequencer 
[(62)]  *»  letting  (C,U,G)  be  the  triple  in  the  range  of  T  containing  d', 

U  and  G  are  not  enabled  [ (60)+Def .  2.1-4]  =»  C  is  enabled  =>  there  Is  a 
token  on  C's  input  arc  in  S' *2'  =»  for  some  input  arc  b  of  d,  where 
T(d)  -  (C,U,G),  there  is  a  token  on  A(b)  in  P'  =»  there  is  a  token  on  an 
input  arc  of  d  in  S'Q  [(61)+Def.  2.4-7]  ■»  there  is  in  S‘2  a  token  on 
an  arc  which  is  not  a  program  output  arc  or  a  control  arc  [Def.  2.1-1] 

*»  P  is  not  well-behaved  [Def.  2.3-2].  Therefore,  R(Q)  is  halted. 


m 
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Appendlx  C 
Proof  of  Leona  4.3-2 

Leooa  4.3-2  Let  S  be  any  initial  standard  or  modified  state  of  any  program 
P,  and  let  2  be  any  firing  sequence  starting  in  S.  Then  t)(S,2)  is  a 
causal  computation  for  lnt(P) . 

Proof: 

Key  definitions:  Def.  4.2-7  -  causality;  Def.  4.3-1  -  DL,  In; 

Def.  4.3-2  -  Int(P)  -  (St,/, IE);  Alg.  4.3-1  -  T](S,2) 

Prove  first  that  <&(S,Q)  is  causal  and  that  the  destinations  of  the 
transfers  in  coC?  ,2)  are  all  distinct}  do  so  by  induction  on  j!2 1 . 

Basis:  jfij  -  0.  Then  <o(5,2)  ■  X,  so  there  are  no  entries  in  co(5,2). 
Furthermore,  no  execution  has  output  entries  in  co (5,2),  so  co(5,2)  is 
causal. 

Induction  step:  Assume  that  co(£,2)  is  causal  and  that  the  transfers  of 
the  entries  in  it  all  have  distinct  destinations  for  any  2  of  length 
m  >  0.  Consider  8<p  of  length  nrt-1,  in  which  the  last  firing  <p  is  of  the 
actor  labelled  d.  Let  a  ■  <o(£,8)  and  p  ■  oj(£,8<p).  (All  initiations  are 
with  respect  to  Int(P) .) 

(1)  Let  Ex(d,n)  be  any  execution  of  which  there  is  an  input  or  an 

output  entry  in  (3 .  Then  either  d  is  the  label  of  an  actor  in  P 
or  dCDL,  so  d€St  Def.  4.2-5 

(2)  a  is  a  prefix  of  p 

(3)  Let  f  be  any  entry  in  p,  and  let  it  be  an  output  entry  of 

e  -  Ex(d,k) .  k  -  0  -  d€{"ID,,,"IT,,,,,IF")  -  In(/(d))  -  0  •  e  is 


initiated  in  any  computation 


Def •  4 . 2—6 


f€a  *  e's  initiating  entry  precedes  f  in  a,  hence  in  p  [(2)4ind.  hyp.], 
f  is  in  (3  but  not  in  a  and  k  >  0  •  the  source  in  T(f)  is  Source(b,5,6) 
for  some  arc  b  =■»  dfSt-DL  and  there  are  exactly  k  firings  of  d  in  0 
[(l)+(2)]  *»  there  are  In(/(d))  input  entries  to  e  in  co(5,0)  »  a 
[Lemma  4.3-1]  =»  e's  initiating  entry  is  in  a,  hence  it  precedes  f  in  p 
[(2)+Def.  4.2-6].  Therefore,  (3  is  causal. 

Let  n  be  such  that  <p  is  the  n**1  firing  of  actor  c  in  9<p.  Then  there 
is  exactly  one  entry  in  p  which  is  not  in  a  for  each  token  removed  from 
an  input  arc  of  c  in  the  transition  from  5*0  to  5*0tp,  and  the  destination 
in  the  transfer  of  each  such  entry  is  Dst(Ex(c,n) , j) ,  where  the  token 
was  removed  from  e's  nuniber-j  input  arc,  and  c€St-DL  [(1)].  Since  there 
are  fewer  than  n  firings  of  c  in  0,  there  are  0  input  entries  to  Ex(c,n) 
in  a;  i.e.,  none  of  the  entries  in  a  has  Ex(c,n)  in  the  destination  of 
its  transfer  [Lemma  4.3-1].  Since 

(4)  for  any  actor  c,  for  each  j,  there  is  at  most  one  number-j  input 

arc  to  c,  and  at  most  one  token  is  removed  from  it  in  any 
transition  Def s .  2 . 1-1+2 . 1-5 

the  transfers  of  the  entries  in  p-a  have  distinct  destinations,  although 
each  of  them  has  Ex(c,n)  in  it.  By  induction  hypothesis,  the  destinations 
of  the  transfers  of  the  entries  in  a  are  all  distinct.  Therefore,  the 
destinations  of  the  transfers  of  the  entries  in  p  are  all  distinct. 

Thus  it  Is  proven  by  induction  that 

(5)  for  any  firing  sequence  Q,  w(5,Q)  is  causal  and  the  destinations  in 

the  transfers  of  all  entries  in  co (5,2)  are  all  distinct. 
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(6)  If  8  is  not  halted,  then  r)(S,8)  -  w(5, 8) 

(7)  Assume  8  is  halted,  and  let  a  “  co(5,8)  and  p  -  T)(S,8) .  Let  f  be 

any  entry  In  p  and  let  It  be  an  output  entry  of  e  *  Ex(c,n). 
n  *  0  »  e  is  initiated  in  every  prefix  of  p  (3) 

(8)  a  la  a  prefix  of  p 

f€a  •  e's  ini ta ting  entry  precedes  f  in  a,  hence  in  p  [(9)+(5)].  f  is  in 
p  but  not  in  a  and  n  >  0  =*  the  source  in  T(f)  is  Source (b, 5, 2)  for  same 
arc  b  =»  cfSt-DL  and  there  are  exactly  n  firings  of  c  in  8  [ (7)+Def .  4.2-5] 
»  there  are  In(/(d))  input  entries  to  e  in  co(S,2)  ■  a  [Lemma  4.3-1]  ■» 
e*8  initiating  entry  is  in  a,  hence  it  precedes  f  in  p  [(8)-i-Def.  4.2-6]. 
Therefore, 

(9)  p  is  causal  (5)+(6) 

(10)  The  destinations  in  the  transfers  of  the  entries  in  a  are  all 

distinct,  and  each  of  them  contains  an  execution  Ex(d,k)  where 
d€St-DL  and  k  >  0  (5) 

(11)  p  is  a  followed  by  one  entry  for  each  arc  b  holding  a  token  in  5*8. 

The  destination  in  the  transfer  of  each  such  entry  is 
Dst(Ex(c,0),l) ,  where  c  is  given  by 

if  b  is  the  number-i  program  output  arc  of  P,  then  c  ■  (0D,1) 
otherwise,  b  is  the  nuaber-J  input  arc  of  an  actor  labelled  d, 
and  c  -  (d,J)  (7) 

(12)  c  is  in  DL  and  0D  is  not  the  label  of  an  actor  in  P 

Each  output  arc  of  P  has  a  unique  index  [Def.  2.1-1].  Thus  the  composite 
labels  c  in  the  target  executions  of  all  entries  in  p-a  are  distinct,  and 
so  the  destinations  in  the  transfers  of  all  those  entries  are  distinct 
from  one  another.  [(ll)+(12)+(4)] .  Therefore. 


i 


(13)  The  destinations  in  the  transfers  of  the  entries  in  p  are  all 

distinct  (10)+ (12) 

(14)  Let  e  *  Ex(d,k)  be  any  execution  of  which  there  is  an  input  entry 

or  an  output  entry  in  p.  Then  either  d  is  the  label  of  an  actor 
in  P  or  d€DL,  so  d€St  Def.  4.2-5 

(15)  d€St-DL  «•  there  are  at  most  In(/(d))  input  entries  to  e  in  p 

Lemma  4.3-1 

(16)  df {,,ID","IT","IF" }  =»  there  are  0  input  entries  to  e  in  p  =»  there 

are  exactly  In(/(d))  input  entries  to  e  in  p 

(17)  Otherwise,  /(d)  *  OA  and,  for  j^l,  there  are  no  entries  whose 

transfers  have  destination  Dst(e,j)  [(H)],  and  there  is  at  most 
one  entry  with  destination  Dst(e.j)  1(13)],  so  there  are  at  most 
In(/(d))  input  entries  to  e  in  p  [Def.  4.2-5). 

(18)  Vf€p,  T(f)  has  source  Src(Ex(ID,0) ,1)  =»  V(f)  is  the  value  of  the 

token  on  the  number-i  program  input  arc  of  P  in  S,  and  Vf€p,  T(f) 
has  source  Src(Ex(IT,0) ,1)  ■»  V(f)  -  true  and  T(f)  has  source 
Src(Ex(IF,0) ,1)  »  V(f)  •  false,  and  Vf€p,  there  is  no  k  and  i  such 
that  T(f)  has  source  Src(Ex(d,k)  ,i)  for  any  d€DL-{,,ID",,,IT","IF"}. 
For  any  prefix  Atp  of  2  and  for  any  i,  tokens  appear  in  the  number-1 
group  of  output  arcs  of  actor  d  in  the  transition  from  5*  A  to  S*A<p  •» 
either  $  is  a  firing  of  d  or  d  is  a  Select  which  is  in  a  pool  in  S'  &  but 
not  in  a  pool  in  5*A< p  [Def.  3.3-9].  For  any  two  distinct  prefixes 
and  A2«P2  of  2,  Ia^I  <  |a2<p2|,  and  for  any  Select  d,  d  is  in  a  pool  in 
both  5*A^  and  5*A2  but  not  in  a  pool  in  S'Ajq^  or  in  S*A2<p2  ■»  there  is  a 
prefix  S<p'  of  2  with  |A^<p^|  <  |Hcp *  |  £  [a2(  such  that  d  is  not  in  a  pool 
in 5*3 but  is  in  a  pool  in  S"B(p’  •  <p'  is  a  firing  of  d  ■  Aj^  *n^  ^2^2 
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do  not  contain  the  sane  nuaber  of  flringa  of  d  [Def.  3.3-9].  Therefore, 

(19)  For  any  two  distinct  prefixes  and  ^2^2  of  an^  actor  d >  and 

any  1,  tokens  appear  In  the  number-1  group  of  output  arcs  of  d  In 
both  the  transitions  from  S’ to  an<*  ^rom  ^*^2  to  ^ *^2<f>2  * 

and  ^2^2  do  not  contain  the  same  nuaber  of  firings  of  d 
Given  a  d€St-DL,  k  >  0,  and  i  >  0,  for  every  entry  in  the  set  {f |  T(f) 
has  source  Src(Ex(d,k),l)},  there  is  a  prefix  Atp  of  2  containing  exactly 
k  firings  of  d  such  that  a  token  of  value  V(f)  appears  on  an  arc  in  the 
nunber-i  group  of  output  arcs  of  d  in  the  transition  from  S’L  to  5* hip 
[Lemma  4.3-1].  There  is  only  one  such  prefix  hep  of  8  containing  exactly 
k  firings  of  d  [(19)],  and  all  arcs  in  the  nuober-i  group  of  output  arcs 
of  d  get  tokens  of  the  same  value  in  any  single  state  transition  [Defs. 

2. 1-5+3. 3-9].  Therefore, 

(20)  All  entries  in  the  set  (f|  T(f)  has  source  Src(Ex(d,k) ,1) }  have  the 

same  value 

(21)  All  entries  in  p  whose  transfers  have  a  common  source  have  the 

same  value  (14)+(18)+(20) 

Hence,  p  -  rjCS.fi)  is  a  causal  computation  for  Int(P)  [(9)+(13)-(17)+(21)+ 
Def .  4.2-6]. 

L 
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Appendix  D 

Proofs  from  Chapter  5 

Lemma  5.2-6  Let  a  and  p  be  any  two  causal  computations  for  the  same 
Interpretation  Int  -  (St,  /,IE)  such  that  either  a  Is  a  prefix  of  p  or  p 
Is  SOE-lndusive  of  a,  and 

(1)  for  any  pointer  p,  p  Is  the  value  of  the  output  entries  in  p  of  a 
Copy  execution  C  =»  the  first  entry  In  p  with  value  p  is  an  output 
entry  of  C. 

Let  e  be  any  structure  operation  execution  Initiated  in  a  wrt  Int.  Then 
for  any  Assign,  Update,  or  Delete  execution  A,  e  is  in  R(A)  in  p  iff 
e  is  in  R(A)  in  a  only  if  A  is  initiated  in  a. 

Proof: 

Key  definitions:  Def.  4.2-6  -  initiated;  Def.  5.1-4  -  access  history; 
Defs.  5. 1-5+5. 1-7  -  durations;  Defs.  5. 1-6+5. 1-8  -  reaches; 

Def.  5.2-8  -  SOE-inclusive 

Proof  is  by  Induction  on  the  number  of  structure  operation  executions 
initiated  in  any  prefix  of  a.  Induction  hypothesis  is  that  the  Lemma  is 
true  of  each  such  execution  e  initiated  in  a  prefix  of  a  containing  the 
Initiating  entries  to  n  such  executions.  (All  initiations  are  wrt  Int.) 
Basis:  n  ■  0.  Vacuously  true. 

Induction  step:  Assume  that  the  Lemma  is  true  for  any  prefix  of  a  in 
which  there  are  n  structure  operation  executions  initiated,  and  consider 
prefix  y  in  which  there  are  n+1. 
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(2)  Let  e  be  any  structure  operation  execution  Initiated  in  a,  and  let 

e'  be  any  other  structure  operation  execution.  Let  the  label  in 
e  be  d  and  the  label  in  e'  be  d* .  There  there  are  ln(/(d))  input 
entries  to  e  in  a. 

(3)  a  is  a  prefix  of  {3  »  e'  is  initiated  before  e  in  p  iff  there  is 

a  prefix  6  of  p  containing  In(/(d'))  input  entries  to  e'  but  fewer 
than  In(/(d))  input  entries  to  e  iff  there  is  a  prefix  6  of  a 
containing  In(/(d'))  input  entries  to  e'  but  fewer  than  In(/(d)) 
input  entries  to  e  iff  e'  is  initiated  before  e  in  a  (2) 

(4)  e'  is  initiated  before  e  in  p  iff  e'  is  initiated  before  e  in  a 

(by  definition  if  p  is  SOE-inclusive  of  a)  (3)+(2) 

(5)  a  is  a  prefix  of  p  a  all  input  entries  to  e  in  p  are  in  a  (2) 

(6)  For  any  structure  operation  execution  e  initiated  in  a  and  any 

integer  j,  V(Enta(e,j))  -  V(Ent?(e,j))  (2)+(5)+Def.  5.2-8 

(7)  Let  e  and  e'  be  any  two  distinct  structure  operation  executions 

such  that  e  is  initiated  in  a.  For  any  pointer  p,  Ent  (e',1) 

P 

precedes  Ent_(e,l)  in  iff  e*  initiates  before  e  in  8  and 
P  P 

V(Ent0(e' ,1))  ■  V(EntD(e,l))  -  p  iff  e'  is  initiated  before  e  in  a 
P  P 

[ (2)+(4) ]  and  V(Ent  (e,l))  -  V(Ent  (e,l))  -  p  -  V(Entft(e' ,1))  - 
a  P  P 

V(Ent  (e',1))  [(6)]  iff  Ent  (e,l)  precedes  Ent  (e',1)  in  H° 
a  a  a  p 

(8)  Assume  that  either  EntQ(e',l)  does  precede  Ent_(e,l)  in  or 

P  p  P 

Ent  (e',1)  does  precede  Ent  (e,l)  in  Ha.  Then  e'  is  initiated 
a  a  p 

before  e  in  either  a  or  p 

(9)  e'  Is  initiated  in  both  a  and  p  (8)+(2)+(4) 

(10)  e’  is  in  APS  in  a  iff  e'  is  in  APS  in  p  (9)+Def .  5.1-5 

(11)  For  every  Update  or  Delete  execution  U  initiated  in  a,  e'  is  also 
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an  Update  or  Delete  execution  =* V(Enta(e' ,2))  -  V(Enta(U,2) )  iff 
V(Entp(e' ,2))  «  V(Entp(U,2))  [(9)+(6)] 

(12)  For  any  Update  or  Delete  execution  U  Initiated  in  a,  e'  is  in  SPS(U) 

iff  e*  is  an  Update  or  Delete  execution  Initiated  in  a  and 
V(Enta(e' ,2))  =  V(Enta(U,2))  [Def.  5.1-7]  iff  e'  is  an  Update  or 

Delete  execution  initiated  in  8  and  V(Ent  (e',2))  =  V(Ent  (U,2)) 

P  P 

[ (9)+(ll) ]  iff  e'  is  in  SPS(U)  in  P 

(13)  Let  e  ■  Ex(d,k)  be  any  structure  operation  execution  initiated  in  y. 

Then  there  are  In(/(d))  input  entries  to  e  in  y,  hence  in  a,  so 
e  is  Initiated  in  a 

(14)  For  any  pointer  p,  Ent  (e,l)  is  in  and  p  is  the  value  of  the 

P  P 

output  entries  in  8  of  a  Copy  execution  C  =»  V(Ent  (e,l))  =  p 

P 

(15)  A  the  first  entry  in  p  with  value  p  is  an  output  entry  of  C  (1) 

=»  by  causality,  the  initiating  entry  of  C  strictly  precedes  the  first 
entry  in  (3  with  value  p  [Def.  4.2-7]  =»  the  initiating  entry  to  C  strictly 
precedes  Entp(e,l)  [(14)];  i.e.,  C  is  initiated  before  e  in  p 

(16)  a  C  is  Initiated  before  e  in  a  (13)+(8) 


3  C  is  initiated  in  a  prefix  of  a  in  which  there  are  fewer  than  n+1 
structure  operation  executions  initiated  [(13)]  =» 

(17)  for  any  Assign,  Update,  or  Delete  execution  A,  C  is  in  R(A)  in  p 
iff  C  is  in  R(A)  in  a  only,  if  A  is  initiated  in  a  [ind.  hyp.]  =» 


Ent.(C,l)  is  in  duration  D(A)  in  8  iff  Ent  (C,l)  is  in  D(A)  in  a 
p  a 

only  if  A  is  initiated  in  a 


(18)  Ent„(e,l)  is  in  and  p  is  the  value  of  the  output  entries  in  p  of 
P  P 

a  Copy  execution  C  *»  [a  is  a  prefix  of  p  =»  Ent^(e,l)  is  in  a 
[(.13)+(2)+(5)]  =>  there  is  an  output  entry  of  C  in  a  with  value  p 


fr 
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[(14)+(15)]]  and  [p  is  SOE-induslve  of  a  =»  C  has  output  entries 
in  a  [(14)+(16)]  =»  those  entries  in  a  have  the  same  value  p  as 
the  output  entries  of  C  in  p  [Def.  4.2-5]]  =>  p  is  the  value  in  a 
of  the  output  entries  of  a  Copy  execution  C  [Def.  4.2-6] 

(19)  e  is  initiated  in  p  (13)-H)efs.  4.2-W-5.2-8 

(20)  For  any  pointer  p,  Ent  (e,l)  is  in  H°  and  p  is  the  value  of  the 

a  P 

output  entries  in  a  of  a  Copy  execution  C  =»  V(EntQ(e,l))  *  P  A 
by  causality,  C  is  initiated  in  a  [Def.  4.2-7]  A  there  is  an  entry 
f  in  a  such  that  T(f)  has  source  Src(C,l)  or  Src(C,2)  and  V(f)  -  p 
[Def.  4.2-5]  =»  Entp(e,l)  has  value  p  [(13)+(6)]  A  there  is  an  entry 
g  in  p  such  that  T(g)  has  source  Src(C.l)  or  Src(C,2)  and  V(g)  -  p, 
whether  a  is  a  prefix  of  p  or  p  is  SOE-indusive  of  a  =»Ent_(e,l) 

e  P 

is  in  [(19)]  a  p  is  the  value  of  the  output  entries  in  p  of  a 

Copy  execution  C  [Def.  4.2-5]  -  for  any  Assign,  Update,  or  Delete 

execution  U,  Ent  (C,l)  is  in  D(U)  in  p  iff  Ent  (C,l)  is  in  D(U)  in 
P  a 

a  only  if  A  is  initiated  in  a'[(jL4)+(17)J 

(21)  For  any  Assign,  Update,  or  Delete  execution  A,  Ent  (e,l)  is  in  D(A) 

a 

in  a  iff  for  some  pointer  p,  either 

(21a)  EntQ(A,l)  precedes  Enta(e,l)  in  and  every  entry  which  precedes 

Ent  (e,l)  but  does  not  precede  Ent  (A,l)  in  Ha  is  not  in  APS  (or 
a  a  p 

(SPS(A)) ,  or 

(21b)  every  entry  which  precedes  Enta(e,l)  in  H°  is  not  in  APS  (or  SPS(A)), 
p  is  the  value  of  the  output  entries  of  a  Copy  execution  C  in  a, 
and  Enta(C,l)  is  in  D(A)  in  a 

iff  either  Ent„(A,l)  precedes  Ente(e,l)  in  and  every  entry  which 
P  P  P 

precedes  EntQ(e,l)  but  does  not  precede  Entn(A,l)  in  is  not  in 
P  P  P 
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APS  (or  SPS (A) )  I(7)+(8)+(10)+(12)]  or  every  entry  which  precedes 

Ent„(e,l)  in  is  not  in  APS  (or  SPS(A)),  p  is  the  value  of  the 
P  P 

output  entries  in  p  of  a  Copy  execution  C,  and  Ent^(C,l)  is  is  D(A) 
in  p  t (8)+(10)+(12)+(20)+(14)+(17)+(18) ]  iff  Entp(e,l)  is  in 
D(A)  in  p 

Ent_(e,l) €D(A)  in  p  =»  Ent  (e,l)€D(A)  in  a  *  (21a)  or  (21b)  [(21)]. 

P  a 

(21a)  =»  A  is  initiated  in  a.  (21b)  =»  C  is  in  R(A)  in  a  =>  A  is  initiated 
in  a  [(21b)+(20)] .  Therefore 

(22)  EntD (e,l) €D(A)  in  p  =»  Ent  (e,l)€D(A)  in  i  =»  A  is  initiated  in  a 

P  a 

(23)  =»  V(Ent  (A, 2))  -  V(Ent_(A,2))  A  V(Ent  (e,2))  -  V(Ent„(e,2))  (13)+(6) 

a  p  d  p 

(24)  For  any  Assign,  Update,  or  Delete  execution  A,  e  is  in  R(A)  in  p 

iff  e  and  A  are  executions  of  one  of  a  few  prescribed  combinations 

of  operations,  Ent„(e,l)  is  in  D(A)  in  P,  and  [A  is  an  Update  or 

p 

Delete  and  e  is  a  Select,  Update,  or  Delete  *»  V(Ent  (e,2))  ** 


combinations  of  operations,  Enta(e,l)  is  in  D(A)  in  a  [(21)]  and 
[A  is  an  Update  or  Delete  and  e  is  a  Select,  Update,  or  Delete  => 


V(Enta(e,2))  -  V(Enta(A,2)) ]  [(22)+(23)]  iff  e  is  in  R(A)  in  a 
e  is  in  R(A)  in  a  =»  Ent  (e,l)€D(A)  in  a  =»  A  is  initiated  in  a  (24)+(22) 

A 

Lemma  5.2-7  Let  S  *  (r,U)  be  any  initial  standard  state  for  an  Lgg  program 

P,  and  let  0<p  be  any  firing  sequence  starting  in  S  (cp  is  the  last  firing) . 

Let  a  -  r|(S,e)  and  p  -  ,n(^,9<p).  Let  f  be  any  entry  in  p  but  not  in  a 

whose  value  is  some  pointer  p.  If  f  ■  EntQ(e,l)  for  some  execution  e, 

P 

then  for  any  other  execution  e',  f  is  in  duration  D(e')  in  p  iff  D(e') 
extends  to  the  end  of  Ha.  Furthermore,  0  ■  X  •  no  durations  extend  to 
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the  end  of  Ha  for  any  pointer  p. 

P 

Proof: 

Key  definitions:  Def.  5.1-4  -  access  history;  Defs.  5. 1-6+5. 1-8  -  reach; 
Defs.  5. 1-5+5. 1-7  -  duration;  Def.  5.2-5  -  CC 

Proof  is  by  induction  on  the  length  of  0.  Let  lnt(P)  be  (St,  I, IE). 

Basis:  |©|  -  0. 

(1)  a  ■  X  and  P  «  rl(^,6)  consists  of  input  entries  to  a  single  execution 

Alg.  4.3-1 

(2)  If  there  is  no  pointer-valued  entry  Entp(e ,1)  in  P-a,  then  the 

Lemma  is  vacuously  true.  Assume  therefore  that  there  is  an  entry 
f  -  Entp(e,l)  for  some  execution  e,  and  that  V(f)  is  pointer  p 

(3)  For  any  execution  e'  <*  Ex(d,k),  f€D(e')  in  P  •  /(d)  is  Assign, 

Update,  or  Delete  and  either 

Q 

(3a)  f  -  Entp(e,l)  and  Entp(e',l)  are  distinct  entries  in  h£,  or 

(3b)  p  is  the  value  of  the  output  entries  in  P  of  a  Copy  execution  C  (2) 

(4)  -  In(/(d))  >  0  Def.  4.3-1 

(3a)  <•  e'  #  e  and  e'  is  initiated  in  p  •  there  is  an  input  entry  to  e' 

in  P  [(4)+Def.  4.2-6].  (3b)  -»  Ent^(C,l)  strictly  precedes 

f  *  Entp(e,l)  in  p  [ (2)+Lenma  5.2-3];  l.e.,  there  is  an  input 
entry  to  C*e  in  p.  Therefore,  f€D(e’)  »  there  are  input  entries 
to  two  distinct  executions  in  p  [(3)],  so  by  (1), 

(5)  For  any  execution  e',  f  is  not  in  D(e')  in  p 

(6)  a  is  a  computation  for  Int(P)  Lemma  4.3-2 

(7)  For  any  execution  e'  *  Ex(d,k),  and  any  pointer  p,  D(e')  extends 

to  the  end  of  Ha  -  /(d)  is  Assign,  Update,  or  Delete,  and  either 
P 
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(7a)  Ent  (e',1)  is  in  H  ,  or  (7b)  there  is  a  Copy  execution  C  such  that 
a  p 

C  is  in  the  reach  R(e')  in  a  [Def.  5.2-6].  (7a)  *»  e*  is  initiated  in  a 

wrt  Int(P)  [(6)].  (7b)  =»  Enta(C,l)  is  in  duration  D(e')  in  a  *»  Enta(C,l) 

is  in  an  access  history  in  a  =»  C  is  initiated  in  a.  Hence,  for  any 

execution  e' ,  D(e')  extends  to  the  end  of  Ha  =»  there  is  an  execution  of 

P 

an  operation  having  non-zero  input  arity  Initiated  in  a  [Def.  4.3-1]  «* 
there  is  an  entry  in  a  [Def.  4.2-6].  By  this  and  (5), 

For  any  execution  e',  ftfD(e')  and  D(e')  does  not  extend  to  the  end  of  Ha. 

P 

Induction  step:  Assume  that  the  Lemma  is  true  for  any  9q>  in  which 
0  <  | ©  |  £  n,  and  consider  6<p  in  which  1 6 1  “  n+1.  Let  the  final  firing  <p 
be  the  firing  of  the  actor  labelled  d. 

(8)  p  is  a  followed  by  input  entries  to  Ex(d,k),  followed  possibly  by 


more  entries 


Alg.  4.3-1 


(9)  Assume  that  there  is  an  entry  f  in  p-a  whose  value  is  pointer  p, 

and  that  f  *  Ent0(e,l)  for  some  execution  e.  Then  e  «*  Ex(d,k)  (8) 

P 

(10)  Hp  is  a  prefix  of  f  is  in  H^,  and  for  every  entry  Ent(e',j) 

in  H^-Ha,  eVe  =»  e'  is  not  a  structure  operation  execution 
P  P 

(8)+Lemma  5.2-5 

(11)  Let  NAR  (NAR')  be  the  node  activation  record  derived  from  6  and  a 


(0 <p  and  p) .  Then  ran  NAR  is  consistent  with  U 


Lemma  5.2-2 


(12)  Let  CC  (CCQ)  be  the  Creating-Copy  function  corresponding  to  NAR 
a  p 

(NAR').  CCQ(p)  is  defined  =»  NAR(CC^(p))  •  (p,n)  for  some  n 


(13)  ■»  CCa(p)  is  initiated  in  a 


Def.  5.2-4 


A  (p,n)€ran  NAR  [Def.  5.2-1]  -  NAR'(CCp(p))  -  NAR(CCa(p))  -  (p,n)  [(12)+ 
Leona  5.2-5]  A  pjtdom  n  in  U  [(ll)+Def.  5.2-3]  • 


(14)  CCp(p)  -  CCa(p) 
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(15)  A  the  first  entry  with  value  p  In  p  (If  any)  Is  an  output  entry 

of  CCQ(p)  and  Is  strictly  preceded  by  EntQ(CCQ(p) ,1) 

P  P  P 

(ll)+(12)4Lem«a  5.2-3 

(16)  In  suosary,  CCQ(p)  Is  defined  *  p  is  the  value  In  pi  of  the  output 

entries  of  a  Copy  execution  CC  (p),  which  is  Initiated  in  a 

a 

(17)  There  Is  a  Copy  execution  C  whose  output  entries  In  P  have  value  p 

°  CCp(p)  Is  defined,  C  ■  CC^(p),  and  Ent^(C,l)  strictly  precedes 
the  first  entry  in  P  with  value  p,  which  is  an  output  entry  of  C 

(ll)+(12)+Lemaa  5.2-3 

o  is  a  prefix  of  P,  and  both  are  causal  coespu tat ions  for  Int(P)  [(8)+ 
Lena  4.3-2],  so 

(18)  For  any  Copy  execution  C  initiated  in  a  and  any  other  execution  e', 

C  is  in  the  reach  R(e')  in  a  iff  C  is  in  R(e')  in  P  (17)+Lema  5.2-6 

(19)  For  any  execution  e',  CCQ(p)  is  defined  and  CCa(p)  is  in  R(e')  in 

a  **  p  is  the  value  of  the  output  entries  in  P  of  a  Copy  execution 
C,  and  C  is  in  R(e')  in  {3  [(16)+(18)]  •  p  Is  the  value  in  p  of 
the  output  entries  of  a  Copy  execution  C,  and  Rnt^(C.l) CD(e')  in  p 

(20)  There  is  a  Copy  execution  C  whose  output  entries  in  p  have  value  p 

*»  Ent  (C,l)  strictly  precedes  Ent_(e,l),  so  C#e  (17)+(9) 

P  P 

(21)  A  NAR'(C)  -  (p,n)  for  some  node  n  (17)+(12) 

(22)  *»  Ent  (C,l)  is  in  a  «•  C  is  initiated  in  a  (8)40ef.  4.2-6 

P 

•  NAR(C)  -  NAR'(C)  -  (p,n)  for  some  n  {(21)+Leona  5.2-5] 

(23)  CCQ(p)  is  defined  and  equals  C 

(24)  For  any  execution  e',  there  is  a  Copy  execution  C  whose  output 

entries  in  p  have  value  p  and  Ent  (C,l)€D(e')  in  p  •  there  is  a 

P 

Copy  execution  C  whose  output  entries  in  p  have  value  p  and 
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C€R(e')  in  p  =*  CCa(p)  is  defined  and  C€R(e')  in  a 

(20)+(23)+(22)+(18) 

Entp(e',l)  precedes  f  ■  Ent^Ce, 1)  in  and  e'  is  a  structure  operation 

execution  =»  EntQ(e',l)  is  in  HQ  [(10)],  so 
P  P 

(25)  e’  ■  Ex(c,n)  is  a  structure  operation  execution  and  either  Ent0(e',l) 

P 

precedes  f  in  HP  or  Ent  (e',1)  is  in  Ha  =>  e'  is  initiated  in  a  A 
pa  p 

In(  /(c) )  >0  [Defs.  4. 3-2+4. 3-1+2. 1-5]  =>  EntQ(e\l)  «  Ent  (e',1) 

P  a 

(8)+Def .  4.2-6 

For  any  Assign  execution  e',  D(e')  extends  to  the  end  of  Ha  iff 

P 

a.  Ent  (e',1)  is  the  last  input  entry  to  an  Assign  execution  in  Ha 
a  p 

or  b.  there  is  no  input  entry  to  an  Assign  execution  in  H®,  CC^(p)  is 
defined,  and  CCa(p)€R(e')  in  a  [Def.  5.2-6]  iff 
a.  Entp(e',l)  is  the  last  input  entry  to  an  Assign  execution 
preceding  f  in  [(10)+(25)], 

or  b.  there  is  no  input  entry  to  an  Assign  execution  preceding  f  in 

g 

p*  t*lere  is  a  Copy  execution  C  whose  output  entries  in  (3  have 
value  p,  and  Entp(C,l) €D(e')  in  p  [(10)+(19)+(24) ] 
iff  f€D(e')  in  p. 


Replacing  "input  entry  to  an  Assign  execution"  with  "number-1  input 

entry  to  an  Update/Delete  execution  having  a  particular  selector  input" 

in  the  above  paragraph  yields  a  proof  that: 

For  any  Update/Delete  execution  e',  D(e')  extends  to  the  end  of  Ha 

P 

iff  f €D(e')  in  p. 

A 


w 
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Theoren  5.2-1  Let  S  m  (T,U)  be  any  Initial  standard  state  for  an  L  _ 
program  P,  and  let  2  be  any  firing  sequence  starting  in  S.  Let  co  ■  r)(S,2) 
and  let  NAR  be  the  node  activation  record  derived  from  2  and  co.  Then  the 
heap  determined  by  co  from  U  and  NAR  is  defined  and  is  identical  to  the 
heap  in  the  state  5*2. 

Proof: 

Key  definitions:  Def.  2.2-5  -  structure  operations;  Alg.  4.3-1  -  t](S,2) ; 
Def.  5.2-1  -  node  activation  record;  Def.  5.2-5  -  Creating  Copy  function; 
Def.  5.2-6  -  durations  extending  to  the  end  of  an  access  history; 

Def.  5.2-7  -  heap  determined  by  co  from  U  and  NAR 

Since  co  is  a  computation  for  Int(P)  [Lemma  4.3-2]  and  NAR  is  compat¬ 
ible  with  co  and  ran  NAR  is  consistent  with  U  [Lemma  5.2-2],  the  heap 
determined  by  co  from  U  and  NAR  is  defined  [Def.  5.2-7].  Prove  the  rest 
of  the  theorem  by  induction  on  the  length  of  2.  Let  U  ■  (N^,11q,SHq). 
Basis:  |2|  ■  0.  Let  (N,II,SM)  be  the  heap  determined  by  co  ■  tj(S,2)  . 

(1)  5*2  -  5,  so  the  heap  in  S’ 2  is  (N0J10,SM0)  Def.  2.3-1 

There  are  no  entries  in  co.  Since  In(Copy)  -  1,  there  are  no  Copy  execu¬ 
tions  initiated  in  co  [Defs  5. 1-1+4. 2-6] .  Since  ran  NAR  is  empty,  IT  -  nQ 
and  N  *  Nq  [Def.  2.2-1].  Let  (p,n)  be  any  pair  in  TT.  Then  no  durations 
extend  to  the  end  of  [Lemma  5.2-7].  SM(n)  ■  SMg(m)  where,  since 
(p,n)€T0,  m  -  n.  Therefore,  (N,n,SM)  is  the  heap  in  5*2  [(1)]. 

Induction  step:  Assume  that  the  Theorem  is  true  for  any  2  of  length 
n  >  0.  Consider  firing  sequence  0<p  of  length  n+1,  in  which  the  last 
firing  <p  is  the  k**1  firing  of  the  actor  in  P  labelled  d.  Let  a  -  t}(S,0) 


and  p  -  r)(5,6cp>,  and  let  (NJT,SN)  and  (N' JT'iSM')  be  the  heaps  in  S’ 0 


-513- 


and  S'Qi p  respectively. 

(2)  p  is  a  followed  by  m  input  entries  to  an  execution  e  «  Ex(d,k), 

where  a  is  the  number  of  tokens  removed  by  <p,  followed  possibly  by 
input  entries  to  executions  Ex(cti)  where  c  is  in  DL  Def.  4.3-1 

(3)  Any  execution  Ex(c,n)#e  initiated  in  p  but  not  in  a  has  input 

entries  in  p-a,  and  so  is  not  a  structure  operation  execution 

(2)+Defs.  4. 2-6+4. 3-2 

(4)  For  any  pointer  p,  is  a  prefix  of  ,  any  input  entries  to  e 

which  have  value  p  are  in  H^,  and  for  any  entry  Ent(e' ,1)  in  H^-Ha, 

P  P  P 

eVe  =*  e  is  not  a  structure  operation  execution  Lemma  5.2-5 

Consider  first  the  consequences  of  (p's  not  being  a  firing  of  certain 

types  of  actors.  Let  NAR  (NAR')  be  the  node  activation  record  derived 

from  0  and  a  (0<p  and  p)  given  Int(P) .  Let  (N  ,n.SM  )  and  (NQ,nQ,SM_) 

a  a  a  p  p  p 

be  the  heaps  determined  by  a  from  U  and  MAR  and  by  p  from  D  and  NAR' . 

(5)  na  -  n  and  Nq  «  N  ind.  hyp. 

(6)  (p  is  not  a  Copy  firing  =»  N'  ■  N  and  n'  ■  II  iDef.  2.3-1]  A  the  set 

C  of  Copy  executions  initiated  in  a  equals  the  set  of  Copy 

executions  initiated  in  p  [(3)]  =»  for  any  C€C,  NAR' (C)  -  MAR(C) 

■*  ran  NAR'  -  ran  NAR  [Lemma  5.2-5+Def .  5.2-4]  -  N'  -  N  -  N  -  N_ 

a  p 

and  II'  -  n  -  n  -  nQ  [(5)] 
a  p 

(7)  NAR'  is  a  node  activation  record  and  ran  NAR'  is  consistent  with  U 

Lemma  5.2-2 

Hence,  for  any  pointer  p,  there  is  at  most  one  Copy  execution  C  such 
that  NAR' (C)  has  p  in  it  [Def.  5.2-3]. 

(8)  For  any  n,  (p,n)€THlQ  «•  3Copy  execution  C:  NAR(C)  -  (p,n)  and  C  is 

initiated  in  a  ((5)]  »  NAR'(C)  *  (p,n)  [Leans 


5.2-5] 
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(9)  Let  CC  (CCQ)  be  the  Creating-Copy  function  corresponding  to  NAR 
a  p 

(MAR').  CC„(p)  Is  defined  »  there  is  an  n  such  that  NAR'(CCQ(p)) 

P  P 

Is  defined  and  equal  to  (p,n)  ■»  (p.n)friQ  [(7)+Def.  5.2-3] 

(10)  CCa(p)  is  defined  »  there  Is  a  Copy  execution  C  and  a  pointer  n 

such  that  NAR(C)  -  (p,n)  *»  C  is  initiated  In  a  [Def .  5.2-4]  «• 

NAR'(C)  -  (p,n)  [Leona  5.2-5]  -  CC.(p)  Is  defined 

P 

(11)  (p,n)€T7  and  CC^(p)  is  defined  =»  (p,n)€TI-flQ  [(9)] 

*»  3Copy  execution  C  initiated  in  a  and  NAR(C)  *  NAR’(C)  -  (p,n)  [(8)]  ■» 

(12)  EntQ(C,l)  is  in  a  [(2)+Def.  4.2-6] 

P 

(13)  A  CC  (p)  is  defined  and  equal  to  C  ■  CCQ(p) 

a  P 

(14)  •  Enta(CCa(p) ,1)  -  Entp(CCp(p) ,1)  [(12)] 

Both  a  and  P  are  causal  conputations  for  Int(P)  [Lemma  4.3-2]  and  a  is 
a  prefix  of  p  [(2)].  For  any  pointer  p»  p  is  the  value  of  the  output 
entries  in  p  of  a  Copy  execution  C  -  the  first  entry  in  p  with  value  p 
is  an  output  entry  of  C  [Lemma  5.2-3].  From  these 

(15)  For  any  (p,n)€I  such  that  CCQ(p)  is  defined,  and  for  any  Assign, 

P 

Update,  or  Delete  execution  A,  CC  (p)  is  in  reach  R(A)  In  p  iff 

P 

CCQ(p)  is  In  R(A)  in  a  (ll)+(14)+Lemna  5.2-6 

Consider  now  the  case  that  for  some  (p,n)€TI,  <p  is  not  an  Assign  firing 
which  removes  a  token  of  value  p. 

(16)  SN'(n)  has  the  same  value  as  SM(n) 


Also,  e  is  not  an  Asslgu  execution  with  V(EntQ(e,l))  -  p  [(2)],  so  e 

P 

is  not  an  Assign  execution  with  Ent0(e,l)  in  .  Therefore,  from  (4), 

P  P 

(17)  Ha  is  a  prefix  of  and  there  are  no  Assign  execution  input  entries 
P  P 

in  HP-Ha 
P  P 


! 


Ktfi 
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(18)  For  any  Assign  execution  A,  D(A)  extends  to  the  end  of  =>  either 

P 

EntQ(A,l)  Is  the  last  input  entry  to  an  Assign  execution  in  H^,  or 
P  P 

there  is  no  such  entry,  and  CCQ(p)  is  defined  and  is  in  R(A)  in  B 

P 

=»  either  A#e  and  Enta(A,l)  is  the  last  input  entry  to  an  Assign 

execution  in  Ha  [(17)],  or  there  is  no  such  entry  in  Ha  [(17)]  and 
P  P 

CCQ(p)  is  defined  and  is  in  R(A)  in  a  [(11)+(13)+(15)] 

(19)  For  any  Assign  execution  A,  D(A)  extends  to  the  end  of  »  A#e 

and  D(A)  extends  to  the  end  of  Ha  [(18)],  and  the  value  in  SM  (n) 

P  P 

is  V(Ent  (A,  2))  =»  the  value  in  SM  (n)  is  V(Ent  (A,  2))  =>  the  values 
P  a  a 

in  SM  (n)  and  SM  (n)  are  the  same  [(2)+(3)] 

P  a 

(20)  (p,n)  =»  Ent  (CC  (p),l)  ■  Ente(CC  (p),l),  and  that  entry  is  in 

u  a  a  p  p 

a  [ (11)+(14)+(12) ]  =»  V(Ent  (CC  (p)  ,1))  is  dynamically  descended 

P  P 

from  a  pointer  q  in  p  only  if  V(Enta(CCQ(p) ,1))  is  dynamically 
descended  from  q  in  a  [ (2)+(3)4Def .  5.1-9] 

(21)  There  is  no  Assign  execution  A  such  that  D(A)  extends  to  the  end  of 

=»  there  is  no  Assign  input  entry  in  and,  even  if  CC^(p)  is 

defined,  there  is  no  Assign  execution  A  such  that  CC  (p)  is  in 

P 

R(A)  in  p  a  there  is  no  Assign  input  entry  in  H°  [(17)]  and  even  if 

CC  (p)  is  defined,  there  is  no  Assign  execution  A  such  that  CC  (p) 
a  a 

is  in  R(A)  in  a  [(10)+(15)]  a  there  is  no  Assign  execution  A  such 

that  D(A)  extends  to  the  end  of  Ha  »  if  (p,n)€nn»  the  value  in 

P  0 

SMp(n)  and  the  value  in  SMa(n)  are  both  equal  to  the  value  in 
Sh^(n),  and  if  (p,n)€7-ng,  the  value  in  SM^(n)  is  the  value  in 
SMg(m),  where  (q,m)  is  that  unique  pair  in  I1q  such  that 
V(Entp(CCp(p) ,1))  is  dynamically  descended  from  q  in  p,  in  which 
case,  the  value  in  SMa(n)  is  also  the  value  in  SMq(b)  [(20)] 
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I.e.,  there  is  no  Assign  execution  A  such  that  D(A)  extends  to  the 

end  of  *»  the  value  in  SMa(n)  equals  the  value  in  SM  (n) 

P  P  a 

(22)  For  all  (p,n)  01,  <p  is  not  an  Assign  firing  which  removes  a  token 

of  value  p  »  the  value  in  SM'(n)  equals  the  value  In  SM0(n) 

P 

(16)+(l9)+(21)+lnd .  hyp. 

Replacing  “Assign  firing  (execution)"  with  “Update/Delete  firing 
(execution)"  in  (16)-(21)  yields  a  proof  of 

(23)  For  any  (p,n)01  and  selector  s€Z,  <p  is  not  an  Update/Delete  firing 

with  pointer  input  p  and  selector  input  s  =»  there  is  a  pair  (s ,r) , 

for  some  node  t,  in  SM  (n)  iff  (s,r)  is  in  SM'(n). 

P 


There  are  now  four  cases  to  consider,  based  on  the  type  of  actor  of  which 
ip  is  a  firing. 

Case  I:  <p  is  not  a  firing  of  a  Copy,  Assign,  Update,  or  Delete. 

N’  -  Nft,  n'  -  nQ,  and  Tl'  -  n  [(6)J.  For  all  (p,n)6n*, 

P  P 

SMp(n)  -  SM'(n)  [(22)+(23)].  I.#.,  (Np,IIp,SMp)  -  (N' ,11'  »SM') 

Case  II:  ip  is  an  Assign  firing. 

(24)  «Q  -  M* ,  nfl  -  IT ,  and  N’  -  N  (6) 

P  p 

(25)  Let  p  be  the  pointer  input  to  <p,  and  let  n  *  I7(p).  Then  for  all 

■*n€N\  SMp 

SM' (n)  (24)+(22)+(23) 


(m)  "  SM'(m),  and  SM^(n)  has  the  same  ordered  pairs  as 


The  value  in  SM'(n)  is  equal  to  v,  the  value  of  the  token  removed  from 
d's  number-2  input  arc  by  <p  [(25)].  e  is  an  Assign  execution,  V.(Entp(e,l)) 

is  p,  and  V(EntQ(A,2))  *  v  [(2)+(23)].  Entfl(e,l)  is  the  last  input  entry 

p  P 

to  an  Assign  execution  in  [ (4) ] ,  so  duration  D(e)  extends  to  the  end 

of  Therefore,  the  value  in  SMfl(n)  is  v.  Hence 

P  P 
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if  (p  la  an  Assign  firing,  then  (N0,n_,SM0)  -  (N’.n’.SM'). 

P  P  P 

Case  III:  ip  is  an  Update  or  Delete  firing 

(26)  H  -  H',  na  -  IT',  H'  -  N,  and  n'  -  n  (6) 

P  ,  P 

(27)  Let  p  be  the  pointer  input  to  <p,  let  n  ■  n(p),  and  let  s  be  the 

selector  input  to  <p.  Then  for  all  m^n€N',  SM  (m)  =  SM' (m) ,  SM  (n) 

P  P 

has  the  same  value  as  SM'(n),  and  for  all  sVs,  there  is  a  pair 

(s',r),  for  some  node  r,  in  SM  (n)  iff  (s '  ,r)  €SM' (n)  (26)+(22)+(23) 

P 

(28)  e  is  an  execution  of  the  same  action  of  which  <p  is  a  firing, 

V(Entp(e,l))  -  p,  and  V(Entp(e,2))  =  s  [(2)+(27)].  Entp(e,l) 
is  the  last  input  entry  to  an  Update  or  Delete  execution  with 
selector  input  s  in  [(4)],  so  D(e)  extends  to  the  end  of 

(29)  cp  is  a  Delete  firing  =>  there  is  no  pair  in  SM'  (n)  with  s  in  it 

[(27)]  and  e  is  a  Delete  execution,  so  there  is  no  pair  in  SM  (n) 

P 

with  s  in  it  [(28)],  from  which,  SMQ(n)  *  SM' (n)  [(27)] 

P 

(30)  If  (p  is  an  Update  firing,  let  q  be  the  pointer  it  removes  from  d's 

number-3  input  arc.  Then  the  pair  (s,n(q))  is  in  SM' (n) ,  and  is 
the  only  pair  containing  s  in  SM* (n)  [(27)],  and  e  is  an  Update 

execution  with  V(EntD(e,3))  ■  q  [(2)],  so  the  pair  (s,no(q))  is 

P  P 

in  SM  (n)  and  is  the  only  pair  containing  s  in  SM  (n)  [(28)]; 

P  P 

i.e.,  the  pair  (s,II(q))  is  in  SM  (n)  [(26)].  Therefore, 

P 

SMp(n)  -  SM’(n)  [(27)] 

Hence,  if  cp  is  either  an  Update  or  a  Delete  firing, 

(Np^Ip,SMp)  -  (N\I7’,SM’)  [ (26)+(27)+(29)+(30) ] . 

Case  IV:  cp  is  a  Copy  firing. 

(31)  For  all  (p,n)fTT,  SMQ(n)  -  SMf(n)  (22)+(23) 

P 

(32)  Let  (p  be  (d,(p,n)).  Then  n'  -nU[(p,n)>  and  N'  -  NU{n}  Def.  2.3-1 


Let  Cbe  the  set  of  Copy  executions  initiated  in  a.  Then  the  set  of  Copy 
executions  initiated  in  p  isCU{e}.  [(2)+(3)].  For  all  C (C, 

NAR'(C)  ■  NAR(C)  [Lemma  5.2-5].  Hence  ran  NAR'  -  ran  NARUNAR'(e).  From 
this  and 

(33)  NAR*  (e)  is  the  ordered  pair  in  the  k1*1  firing  of  d  in  0cp,  vhich  is 

the  ordered  pair  in  <p,  which  is  (p,n)  (2)+(32)+Def .  5.2-4 

it  is  seen  that  no  -  ELUran  NAR'  -  ELUran  NARU{(p,n)  >  -  n  U{(p,n)  }. 

P  u  u  a 

Then,  N_  *  N  U{n}.  Therefore, 

P  a 

(34)  Np  -  N'  and  np  -  n'  l(32)+(5)] 

(35)  Let  q  be  the  value  of  the  token  removed  by  <p,  and  let  m  -  n(q) • 

Then  SM'(n)  -  SM(m)  (32) 

(36)  CC.(p)  is  defined  and  equals  e  (33) 

P 

Ent0(e,l)  strictly  precedes  the  first  entry,  if  any,  in  p  with  value  p 
P 

[(36)+Lemma  5.2-3],  so  there  is  no  entry  in  a  with  value  p  [(2)].  Thus 
if  there  is  an  entry  with  value  p  in  p,  it  is  not  an  input  entry  to  a 
structure  operation  execution  [(3)].  Therefore, 

(3?)  contains  no  input  entries  to  structure  operation  executions  (3) 
P 

(38)  Entc(e,l)  is  in  p  but  not  in  a  and  its  value  is  q  (2)+(35) 

P 

Therefore, 

(39)  For  all  executions  e',  duration  D(e')  extends  to  the  end  of 

P 

iff  e€R(e')  in  p  [(37)+(36)]  iff  Entp(e,l)€D(e')  in  p  [Defs.  5.1-6+ 

5.1-8]  iff  D(e')  extends  to  the  end  of  Ha  [(38)+Lemma  5.2-7] 

9 

Since  (p,n)tfT0  [(7)+(33)], 

(40)  Letting  r  be  the  unique  pointer  in  dom  TIq  from  which 

q  -  V(Entp(CCp(p) ,1))  is  dynamically  descended  in  p,  SH^(n)  depends 
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on  SMQ(no(r))  and  on  the  input  entries  to  the  executions  whose 

Q 

durations  extend  to  the  end  of  Hp  (38)+(36) 

P 

(41)  (q ,m) €1  [(35)+Thm.  2.2-1].  (q,m)€l0  =»  q  -  r  [(40)+(35)]. 

(42)  (q,m)tfn0  =»  (q,m)€Tl-no  [(41)]  =>  r*q  A  CC^(q)  is  defined  and  q  is  the 

value  of  its  output  entries  in  (3  [(40)+Lemma  5.2-3]  A 

Ent  (CC  (q) ,1)  *  Ent0(CCD(q) ,1) ,  and  that  entry  is  in  a  [ (11)+(14)+ 
a  a  p  p 

(12)]  =»  V(Ent„ (CCQ (q) ,1))  is  dynamically  descended  in  P  from  every 

P  P 

pointer  except  q  from  which  q  is  dynamically  descended  in  (3 
[ (40)+Def .  5.1-9]  =»  V(Enta(CCa(q) ,1))  is  dynamically  descended  in 
p  from  r  =»  V(Enta(CCa(q) ,1))  is  dynamically  descended  in  a  from 
r  [ (2)+(3)-H)ef .  5.1-9]  =»  r  is  the  unique  pointer  in  dom  rTQ  from 
which  V(Enta(CCa(q) ,1))  is  dynamically  descended  in  a  [Lemma  5.2-4] 
SMa(m)  depends  in  the  same  way  on  SMQ(no(r))  and  On  the  input  entries 
to  the  executions  whose  durations  extend  to  the  end  of  [ (40)+(41)+(42) ] . 

3  CL 

The  same  executions'  durations  extend  to  the  end  of  and  H^,  and  their 
input  entries  are  the  same  in  a  and  [3  [ (39)+(19)+(2)+(3) ] .  Therefore, 
SMp(n)  *  SMa(m)  [(40)].  By  induction  hypothesis,  SMa(m)  •  SM(m) .  So 
SMp(n)  =  SM'(n)  [(35)].  Hence,  (Np.n^.SMp)  -  (N'.n'.SM')  [(34)+(31)+ 

(32)]. 


Q.E.D. 


-520- 


Theorem  5.3-1  For  any  two  equal  standard  states  S ^  and  for  the  sane 
program  P,  and  any  two  equal  firing  sequences  2^  starting  In  5^  and  22 
starting  in  S2>  *^2*^2  e<lua^8  S^*2^.  Furthermore,  if  I  is  the  mapping 
under  which  the  conditions  of  each  arc  b  in  P  match  in  S ^  and  S 2,  then  the 
mapping  under  which  the  conditions  of  b  in  5^*2^  and  matc^>  is 

IU[(n^,n2) |  3k:  for  1*1,2,  n^  is  the  node  in  the  k**1  firing  in  2^}. 

Proof: 

Key  definitions:  Def.  2.1-5  -  non-structure  operations; 

Def.  2.2-5  -  structure  operations;  Def.  2.4-1  -  equal  components; 

Def.  2.4-2  -  Match 

Proof  is  by  induction  on  the  length  of  2^. 

Basis:  |2jJ  -  0.  Then  |22l  -  0  [Def.  2.4-5]-,  so  S2*22  “  $2  and 
5^*2^  *  [Def.  2.3-1].  By  hypothesis,  then,  S2'22  equals  S^‘2^. 
Induction  step:  Assume  the  Theorem  is  true  if  2^  is  of  length  n  >  0,  and 
consider  equal  firing  sequences  2^<p^  and  22<p2,  starting  in  and  S^, 
where  2^<p^  is  of  length  nfl  and  its  last  firing  <p^  is  of  the  actor  in  P 
labelled  d. 

(1)  22<p2  Is  also  of  length  nfl  and  (p2  is  also  a  firing  of  d  Def.  2.4-5 

^2  ^2  e<*ua*8  by  induction  hypothesis,  so 

(2)  There  is  a  one-to-one  mapping  I  such  that,  for  each  arc  b  in  P, 

Match((b,S2-22),  I,  (b.S^^)  Def.  2.4-3 

(3)  If  d  is  a  gate  actor,  then  the  control  token  removed  by  ip^  has  the 

same  value  as  the  control  token  removed  by  <f>2  (2) 

(4)  For  each  arc  b  in  P,  b  has  no  token  in  £^*2jg>^  iff  either 

b  is  neither  an  input  nor  output  arc  of  d  and  has  no  token  in  5^*2^, 
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b  Is  an  Input  arc  of  d  from  which  <p^  removes  an  input  token,  or 
b  is  an  output  arc  of  T-  or  F-gate  d  and  <p^  places  no  token  on  b 
iff  b  is  neither  an  input  nor  output  arc  of  d  and  has  no  token  in 
^2*^2  ^)]  or  b  is  an  input  arc  of  d  from  which  ( p2  removes  a  token 
or  b  is  an  output  arc  of  T-  or  F-gate  d  and  places  no  token 
on  b  [(3)]  iff  b  has  no  token  in  *^2^2 
At  this  point.  It  will  be  helpful  to  introduce  the  following  notation: 

For  any  state  S  of  any  program,  and  for  any  arc  b  of  the  program  which 
holds  a  token  in  •?,  denote  by  TV(b,5)  the  value  of  that  token. 

(5)  For  each  arc  b  in  P  which  has  a  token  in  and  is  not  an 

output  arc  of  d,  TV(b,5^*2j<p^)  •  TV(b,5^-Cp  and 

TV(b,s2-22<p2)  -  iv(b,s2-a2)  (4) 

(6)  TV(b,S  is  not  a  pointer  -  TV(b,S2‘&2)  -  TVCb.S^Gp  [(2)]  =» 

Tv(b,52-a2<p2)  -  T t<5)] 

(7)  For  1*1,2,  let  the  heap  in  be  *  (N^.n^.SM^),  and  let  the 

heap  in  *^*8  <p^  be  ■  (Nj,nj,SMp.  For  any  arc  b,  TV(b,Spfip 
is  a  pointer  Pj^  =»  letting  p2  •  TV(b,S2'S22) ,  U2.rT2(p2)  i  U^J^Cpp  ^ 
[(2)]  =»  I(ni(p1))  *  n2(p2),  and,  for  any  node  n  equal  to  or  reach¬ 
able  from  II  (p  )  in  SM2(I(n))  -  KSM^n)) 

(8)  Let  q^  and  q2  be  the  values  of  the  number-1  input  tokens  to  cp^  and 

<P2  respectively,  and  for  i*l,2,  let  ■  n^^Cq^) .  Then  m2  ■  I(m^) 

(7> 

(9)  For  all  (q,m)Cl^,  m*m^  or  <p^  is  not  an  Assign,  Update,  or  Delete 

firing  •*  SM|(m)  ■  SM^(m) 

(10)  For  all  (q,m)€TI^  such  that  m  equals  or  is  reachable  from  n^(p)  for 
any  pointer  p  on  an  arc  in  m^m^  or  ip^  is  not  an  Assign, 


Update,  or  Delete  firing  *»  m2  t  I(m)  or  <p2  Is  not  an  Assign,  Update, 
or  Delete  firing  ((8)+<2)+<l)],  and  SM2(I(m))  -  I(SM  (a))  [(7)]  • 
SM'(I(n))  -  SM2(I(a))  -  I^M^a))  -  l(SMj(a))  [(8)+(9)] 

(11)  If  SM^mj)  -  {v,  (s1,n1),...,(Sj,nj)),  then 

SM2(a2)  -  (v,  (s1,I(n1)),...,(sj,I(nj)))  (8) 

(12)  Let  b  be  d’s  number-2  input  arc  (if  any),  (p^  is  an  Assign  firing  » 

SM*(Bi)  -  (v',  (s^.n^) » •  •  •  ,(Sj  ,Hj)  }  where  v'  «  TVO^S^p  [(11)] 

=*  <p2  is  an  Assign  firing  with  TV(b,S2*22)  -  v'  [(l)+(6)]  - 
SM^(m2)  -  {v1,  (s1,I(n1)),...,(sj,I(nJ))}  [(H)]  =» 

SM'(m2)  -  KSMpmp) 

(13)  (p^  is  a  Delete  firing  =»  SM^(m^)  is  SM^(m^)  minus  the  pair  with 

selector  s  ■  TV(b,£p2p  (if  any)  =»  <p2  is  a  Delete  firing  and 
TV(b,S2*22)  *  8  [(l)+(6)]  «•  SM2(m2)  is  SM2(m2)  minus  the  pair 
with  selector  s  (if  any)  =*  SM^fap  -  I(SM£(Bj))  [(H)] 

(14)  <p^  is  an  Update  firing  ■<»  SM^(m^)  ■  SM^(m^)  with  any  pair  having  s 

in  it  replaced  by  (s,  n^qp),  where  s  -  TVOj.S^p  and  for  c 
d's  number-3  input  arc,  TVte.Spap  -  qj  »»  <p2  is  an  Update  firing, 
TV(b,52*22)  "  8»  TV(c,S2*22)  “  q£  such  that  n2(q2)  -  iQipqp) 

[(l)+(6)+(7)]  »  SM2(m2)  is  SM2(m2)  with  any  pair  having  s  in  it 
replaced  by  (s,I(ni(qp))  -  SM^ap  -  I(SM’(*p)  [(H)] 

(15)  nx  c  nj  and  n2cnj  (7) 

(16)  Let  b  be  any  arc  which  is  not  an  output  arc  of  d  such  that 

TV(b,S1’2101)  is  some  pointer  p2>  Then  p^^  is  on  an  arc  in  5^2^ 
and  TVOsS^^p  "  TV(b,S2’2p  is  a  pointer  p2  such  that 

i(n1(p1))  -  n2(p2) 


(17)  Knppp)  -  n’(p2) 


(5)+(7) 

(15)+(16) 
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(18)  For  any  pointer  p€dom  n^,  n  is  any  node  reachable  from  IV  (p)  in  Uj 

*»  there  is  a  chain  of  nodes  r^,r ^ . r^  such  that  r^  «  n£(p), 

r^  -  n,  and  for  i-l,...,k-l,  r^+^  is  ®  successor  of  r^  in  U^ 

[Def.  2.2-2]  =*  there  is  a  chain  of  nodes  ri»r2»*”»ric  such  that 

r^  *  IT^(p),  r^  »  n,  and  for  i*l,...,k-l,  r^+^  a  8ucces8°r  of  r^, 

unless  there  is  some  j  such  that  and  <p^  is  an  Update  firing, 

in  which  case  rj+i  *  ^l^P  where  q|  is  the  number-3  input  to  <p^ 

and  there  is  still  a  chain  r  r,  in  which  r,  -  n  and  for 

j+1  k  k 

i-j+1, . . . ,k-l,  r^+^  Is  8  successor  of  r^  in  [(15)+(9)+(ll)+ 
(12)+(13)+(14)+Def .  2.2-2]  =»  n  is  reachable  in  from  either 
rij^p)  or  n^qp  where  qj^  is  on  an  arc  in  S’ 2.  [Def.  2.2-2] 

(19)  For  any  pointer  p,  p  is  on  an  arc  in  or  n^p)  is  in  an 

ordered  pair  in  SM^n)  for  some  node  n€N^  =>  p£dom 

Thm.  2 . 2-1+Def .  2.2-1 

Let  n  be  any  node  equal  to  or  reachable  from  n^Cp^)  in  Uj .  Then  n  is 
equal  to  or  reachable  in  from  some  node  n^(p^)  where  p|  is  some 
pointer  on  an  arc  in  [(16)+(19)+(18)] .  n^m^  or  <p^  is  not  an 

Assign,  Update,  or  Delete  «  SM£(I(n))  -  I(SM|(n))  [(10)].  n  -  and 
^  is  an  Assign,  Update,  or  Delete  ■»  SM^(I(n))  -  l(SH|(n))  [(11)+(12)+ 
(13)+(14)].  Therefore,  U^.IT^p^  ”  U^n^p^)  [(17)].  From  this  and 
(4)+(5)+(6)+(16), 


(20)  For  any  arc  b  which  is  not  an  output  arc  of  d  and  has  a  token  in 

Sj/8^,  Match((b,S2’22(p2),  I,  (b^-2^)) 

(21)  For  each  arc  b  which  is  an  output  arc  of  d  and  has  a  token  in 

5l’®l<pl*  the  valu*  vi  *  TV(b,S1-ai(P1),  for  1-1,2,  is  output  by 

(4) 
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(22)  d  is  a  pi  operator  »  there  is  an  input  arc  a  of  d  such  that 

TV(a,5i*2i)  -  vA  (3)+(21)4Cef.  2.2-4 

(23)  d  is  a  pi  operator  a  is  non-pointer  v2  "  vi  (6) 

(24)  d  is  a  pi  operator  a  v^  is  a  pointer  »  I(nj(v^))  ■  n2(v2)  [(7)+(15)] 

A  since  is  on  an  arc  in  for  any  node  n  equal  to  or 

reachable  from  nj(Vj)  in  Uj,  n  equals  or  is  reachable  from  n^(v^) 
in  Ux  ( (21)+(15)+(19)+(18) ] ,  so  SMj(I(n))  -  I(SMj(n))  [(10)]  =» 
u’.n'(v2)  -  uj.nl (vx) 

(25)  v^  is  non-pointer  and  d  is  not  a  structure  or  pi  operator  =» 

depends  only  on  the  type  of  actor  d  is  and  on  the  values  on  d's 
input  arcs  in  for  i“l  ,2  a  all  those  input  arcs  hold  non- 

pointer  values  •  "  v2  t  C6) 1 

(26)  is  non-pointer  and  1?  not  identically  zero,  and  d  is  a 
structure  operator  «•  v^  depends  only  on  the  type  of  d,  the  non- 
pointer  input  to  and  the  value  and  set  of  selectors  in 
SMi(ni(qt))»  for  i-1,2  [(8)]  •  Vj  -  v2  [(6)+(ll)J 

(27)  v^  is  not  a  pointer  •  "  v2  (22)+(23)+(25)+(26) 

(28)  v^  is  a  pointer  and  d  is  not  a  pi  operator  =»  d  is  a  Select  or  Copy 

(29)  q>^  is  a  Select  firing  with  selector  input  s  *»  v^  *  qj,  where  the 

pair  (s,I7^(qj))  is  in  SM^(m^)  [(8)]  *»  <p2  is  a  Select  firing  with 
selector  input  s  and  (s,I(n^(qj)))  is  in  SM2(m2)  [(6)+(ll)]  • 

v2  ■  qj  where  n2(q2)  “  I(ni(qj))  A  every  node  reachable  from  nj(qj) 
in  Uj  is  reachable  in  from  17^ (qj),  hence  from  m^  [(15)+(19)+ 
(18)+(8)+Def .  2.2-2]  -  since  is  on  an  arc  in  for  every 

node  n  equal  to  or  reachable  from  nj(v^)  in  Uj, 

SMj(I(n))  -  I(SMj(n))  [(8)+(10)]  -  0|.n’(v2)  £  Uj.nj(v1) 


(30)  <PX  is  a  Copy  firing  =*  -II1U{(q^,n1)  },  vx  -  q^,  and 

SH^(n^)  -  [ (21)+(8) ]  A  <p2  is  a  Copy  firing  ■»  3(q2,n2): 

n2  “  n2U{(q^,n2)},  v2  -  q£,  and  SM^(n2>  -  SM2(m2)  [(l)+(8)]  «• 
letting  I'  -  lU{(nlfn2>},  I'fllj^Vj))  -  n^(v2>  A  since  every 
successor  of  n^  in  is  a  successor  of  m^  in  and  no  node's 
content  is  changed,  each  node  reachable  from  n^  in  is  reachable 
from  m^  in  [(9)+Def.  2.2-2]  =»  letting  m  be  any  node  reachable 
from  ^  in  Uj,  mfl^,  so  SM’(I'(m))  -  SM^(I(m))  -  I(SM[(m))  - 
I'(SM'(m))  [ (8)+(10) ]  A  SM'U'Cnj))  -  SM£(n2)  =  SM2(m2)  - 
I(SM1(m1))  -  I'CSM'Cnp)  [(8)+(7)]  -  U'.IT£(v2)  V  U^n'^) 

Therefore,  is  a  pointer  and  d  is  not  a  pi  operator  =» 
u2.n^(v2)  -  where 

!I  if  <p^  is  not  a  Copy  firing 

Il){ (n^,n2)}  if  tp^  is  a  Copy  firing  (d.CqJ,^))  and 
(p2  is  a  Copy  firing  (d,(q^,n2)) 
[(30)+(8)+(7)] .  In  summary,  then,  for  each  arc  b  in  P, 

Hatch ((b,52-22<p2),  I',  (b,51-21(p1))[(4)+(20)+(21)+(27)+(22)+(24)];  i.e., 
52*S2<p2  equals  [Def.  2.4-3]. 

A 

Lemma  5.3-4  Let  5  be  any  initial  state  for  an  L^g  program  P,  and  let  the 
heap  in  S  be  (HJ1,SM).  Lets  be  any  firing  sequence  starting  in  5,  let  co 
be  t)(5,Q) ,  and  let  e  be  any  execution  of  any  structure  operation  (except 
Copy).  Let  p  be  V(Ent(e,l)),  let  q  be  the  unique  pointer  in  dom  n  such 
that  DD^(q,p),  and  let  n  ■  n(q).  Then  the  conclusions  depicted  in 
Table  5.3-1  can  be  drawn  about  the  values  of  e's  output  entries  in  ea. 
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Proof : 

Key  definitions:  Def.  2.2-5  -  structure  operations;  Def.  4.2-6  -  initia¬ 
tion;  Def.  5.1-8  -  reach;  Def.  5.1-9  -  dynamic  descendancy; 

Def.  5.2-7  -  heap  determined  by  a  computation 

(1)  Let  e  be  Ex(d,k)  and  let  Znt(P)  be  (St,  /, IE).  Then  d£St-DL 


Defs.  4. 3-2+4. 3-1 

Let  f  be  any  entry  such  that  T(f)  has  source  Src(e,i)  for  any  1.  Then 
there  is  a  prefix  0<p  of  2,  containing  exactly  k  firings  of  d,  such  that 
tokens  of  value  V(f)  appear  in  the  number- i  group  of  output  arcs  of  d  at 
the  transition  from  5*6  to  5*6tp  [(1)+Lemma  4.3-1].  Therefore, 

(2)  <p  must  be  the  k**1  firing  of  d  in  2  Def.  2.1-5 

(3)  Let  a  be  r)(5,6)  and  let  NAR  be  the  node  activation  record  derived 

from  6  and  a.  Then  the  heap  determined  by  a  from  the  heap  in  5 
and  NAR,  (N^,  IT^,  SM^) ,  is  defined  and  is  identical  to  the  heap  in 
S*0  Thm.  5.2-1 


SM  (n  (p))  as  in  Table  2.2-1 
a  a 


(4)  Let  p  be  rj(5,6«p).  Then  g  ■  Ent^(e,l)  is  the  first  entry  in  p  which 

is  not  in  a,  p  is  the  number-1  input  to  <p,  and  there  are  m  input 
entries  to  e  in  p,  where  <p  removes  m  tokens  (l)+(2)+Alg.  4.3-1 

(5)  The  value  of  Src(e,l)  in  a  equals  V(f ) ,  and  that  depends  on 

(2)-(4)+Def .  4.2-6 

(6)  m  ■  In(/(d)),  so  e  is  initiated  in  p  (4)+Defs.  4. 3-2+4. 3-1 

(7)  Let  NAR'  be  the  node  activation  record  derived  from  ftp  and  p,  and 

let  CC  and  CC-  be  the  Creating -Copy  functions  corresponding  to 

a  p 

NAR  and  NAR'  respectively.  Then  p  is  the  value  in  p  of  the  output 
entries  of  a  Copy  execution  C  or  pldom  n  •  CC  (p)  is  defined,  the 

p 

first  entry  in  p  with  value  p  is  an  output  entry  of  CC  (p),  that 

P 


entry  is  strictly  preceded  by  Entp(CCp(p),l) ,  and  no  other  Copy 

execution  has  output  entries  of  value  p,  so  C  ■  CC  (p)  [(4)+ 

P 

Lemma  5.2-3]  =>  there  is  a  node  m  such  that  NAR'(C)  *  (p,m) 

[Def.  5.2-5]  A  since  V(g)  ■  p,  EntQ(C,l)  precedes  g  —  i.e.,  is  in 

P 

a  -  so  C  is  initiated  in  a  [(4)+Def.  4.3-1]  =»  NAR(C)  -  (p,m) 

I(3)+Lemma  5.2-5]  =»  CC  (p)  -  CCQ(p)  -  C  [Def.  5.2-5] 

a  p 

Dynamic  descendancy  relations  in  a  computation  depend  only  on  the  input 
and  output  entries  of  Copy  executions  in  that  computation.  Furthermore, 

(8)  a  and  (3  are  prefixes  of  co,  so  every  Copy  execution  which  has  input 

or  output  entries  in  a  or  p  has  the  same  input  or  output  entries 
in  co  [(3)+(4)+Alg.  4.3-1].  Hence 

(9)  p/tdom  n  »  letting  q'  be  the  unique  pointer  in  dom  IT  such  that 

p*  »  V(Enta(CCa(p) ,1))  is  dynamically  descended  from  q'  in  a, 
DD^(q’,p')  and  p*  is  the  value  of  Ent^CCC^p)  ,1)  .  Also,  p  is  the 
value  in  {3,  hence  in  co,  of  the  output  entries  of  CCQ(p)  [(7)+(8)],  so 
DD^q'.p),  and  since  q  is  unique  in  dom  II,  q'  ■  q 

Since  DD  (p,p), 

co 

(10)  If  p(dom  n,  then  q  ■  p,  otherwise  q  is  the  unique  pointer  in  dom  n 

such  that  V(EntQ(CCa(p) ,1))  is  dynamically  descended  from  q  in  a  [(9)] 

(11)  a  and  f3  are  prefixes  of  co,  and  a,  p ,  and  co  are  causal  computations 

for  Int(P)  (8)+(4)+Lemma  4.3-2 


(12)  For  any  Update  or  Delete  execution  U,  D(U)  extends  to  the  end  of 

Ha  »  U  is  initiated  in  a  •  Ent.(U,2)  is  in  a;  i.e.,  U  has  the 

P  P 


selector  input  in  co  and  a 


(ll)+Def.  5.2-6 


e  is  a  Fetch  or  Assign  execution  and  is  in  no  reach  in  co  •  e  is  in  nc 
reach  in  {3  [(ll)+(7)+(6)+Lemma  5.2-6]  *•  Ent^(e,l)  is  not  in  the  duration 
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of  any  Assign  execution  in  p  [ (ll)+Def .  5.1-6]  *  no  Assign  execution 

duration  extends  to  the  end  of  Ha  [(3)+(4)+Lemma  5.2-7]  «  the  value  in 

P 

SH^CTI^Cp))  is  the  value  in  SM(n(q))  I(3)+(10)]  •  the  value  of  Src(e,i)  is 
as  given  in  Table  5.3-1  t(5)]. 


e  is  a  Select,  Update,  or  Delete  execution  and  Is  in  no  reach  in  co 

=»  Ent  (e,l)  is  not  in  the  duration  of  any  Update  or  Delete  execution  which 
P 

has  selector  input  s  in  63  [ (ll)+(7)+(6)+Lemma  5.2-6]  ■»  there  is  no  Update 

or  Delete  execution  with  selector  input  s  in  a  whose  duration  extends 

to  the  end  of  [ (12)+(3)+(4)+Lemma  5.2-7]  =•  for  any  node  m,  the  pair 

(s,m)  is  in  SM  (ft  (p))  iff  (s,m) €SM(n(q))  [(3)+(10)]  »  the  value  of 
a  a 

Src(e,i)  is  as  given  in  Table  5.3-1  [(5)]. 

(13)  e  is  a  First  execution  or  a  Next  execution  with  selector  input  s  =• 

the  value  of  Src(e,l)  depends  Just  on  s  and  the  set  0  of  selectors 

in  the  ordered  pairs  in  SM  (TT  (p))  [(5)] 

a  a 

(14)  e  is  in  the  reach  of  an  Update/Delete  execution  U  in  w  =»  Ent  (e,l) 

P 

is  in  D(U)  in  p  [  (ll)+(7)+(6)+Lenma  5.2-6]  =»  D(U)  extends  to  the 
end  of  [ (3)+(4)+Lenma  5.2-7]  =»  letting  s  be  the  selector  input 
to  U  in  a,  hence  in  u,  if  U  is  an  Update,  then  s€Sc  and  s€0,  and 
if  U  is  a  Delete,  then  s€Sb  and  s{0  [ (13)+(12)+(3)+(10) ] 

(15)  For  each  s€Z,  e  is  not  in  the  reach  of  any  Update/Delete  execution 

with  selector  input  s  in  co  ■»  the  duration  of  no  such  execution 

extends  to  the  end  of  Ha  [Cll)+(7)+(6)+(3)+(4)+(12)+Leii«nas  5.2-6 

P 

+5.2-7]  -  s€0  iff  s  is  in  a  pair  in  SM0T(q))  iff  s€Sa  [(3)+(10)] 
Therefore,  s€0  iff  s€(Sa-Sb)US°  [(14)+(15)],  so  the  value  of  Src(e,l) 

A  b  C 

depends  on  s  and  (S  -S  )US  as  in  Table  5.3-1. 
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and  s„  be  any  two  equal  initial 
standard  states  for  P.  For  i*l,2,  let  be  any  halted  firing  sequence 

starting  in  and  let  Then,  given  Int(P),  the  pair 

consisting  of  co^  and  co2  satisfies  the  Initial  Structure  Constraint  and 
the  First/Next  Output  Constraint. 

Proof ; 

(1)  Let  p  be  the  equal  pointer  relation  defined  from  Int(P).  Then, 

since  and  are  both  computations  for  Int(P) ,  p  is  defined 
for  them  [Lemma  4.3-2+Def.  5.1-10} 

(2)  There  is  a  single  one-to-one  mapping  I  under  which  the  conditions  in 

S ^  and  each  arc  in  P  match  Def.  2.4-3 

(3)  For  i*l,2,  let  the  heap  in  S ^  be  (N^n^.SMj).  Let  p.^  and  pi+2  be 

any  two  pointers  such  that  neither  is  the  value  of  an  output  entry 
of  a  Copy  execution  in  Then  there  is  no  such  that 

DDco  ^qi*pi^  and  there  18  no  q1+2^Pi+2  8uch  that  DDW  (q1+2»pi+2) 

Def.  5.1-9 

^pl,col^p^P2,a)2^  °*  for  pi  1,3  the  va^-ue  in  °*  a  source;  i.e., 

p^  is  the  value  of  an  entry  in  co^  [Defs.  5.1-10+4.2-6]  =»  p^€dom  17^ 
[(3)+Lemma  5.2-3].  Similarly,  (P3»“j)p(P2,<»2)  =»  P3€dom  FT^  and  p2€dom  I72, 
and  (Pj^.cojJpCp^,^)  •  p^dom  and  p^dom  n2.  Therefore,  (pj^.cojJpCPj,,^) 
and  (p3,col)p(p2,co2)  =»  n2(p2>  -  Kfij^Pj))  and  n2(p2>  -  I(ni<P3))  [(l)-(3)+ 
Thm.  5.3-2]  •  IIjCPj)  -  n^pj)  [  (2)+(3)+Def .  2.2-1]  =»  P3  “  Px  I(3)+ 

Def.  2.2-1].  Also,  (p1,co1)pCp2,cc>2)  and  (p^co^pCp^.cojj)  - 
n2(p2)  -  l(ni(p1))  andn2(p4)  -  I(ni(p1))  [(l)-(3)+Thm.  5.3-2]  - 
n2(p2)  "  n2^p4^  "  P2  "  p4  l(2)+(3)+Def .  2.2-1] 


Lemma  5.3-5  For  any  L^s  program  P,  let 
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(4)  Let  and  be  any  two  executions  of  structure  operations 

initiated  in  and  respectively.  For  1*1,2,  let  p^  be 

V(Ent  (e  ,1)),  let  q.  be  the  unique  pointer  in  dom  n.  such  that 
6)^  11  1 

DD  (q, .P-),  and  let  n.  -  H. (q.)  Leona  5.2-4 

co^  11  ill 

(5)  (pj.cojjp^.oc^)  »  Kl)-(4)+Thn.  5.3-2]  =» 


SJ^^)  “  I(SM^(n^))  { (l)-(4)+Thoi.  5.3-2]  =>  the  value  and  the  sets 
of  selectors  in  SM^Cn^)  and  SM^(n^)  are  identical  [Def.  2.4-1] 

(6)  For  1*1,2,  eA  does  not  fall  into  a  reach  in  =»  if  eA  is  a  Fetch 
or  Assign  execution,  then  for  j*l,2,  the  value  of  Srcte^.j)  in  oo^ 
depends  only  on  the  value  in  SM^(n^) ,  if  e^  is  a  Select,  Update,  or 
Delete  execution,  then  the  value  of  the  source  Src(e^,2)  in  co^ 
depends  only  on  V(Ent  (e.,2))  and  the  set  of  selectors  in  SM  (n  ) , 

CO^  1  1  1. 

and  if  e^  is  an  Update  or  Delete  execution,  the  value  of  SrcCe^l) 
is  identically  zero  [ (l)-(4)+Lemma  5.3-4] 

For  1*1,2,  e^  does  not  fall  into  a  reach  in  oo^  and  (p^.coj^p^.a^)  =* 
if  6^  and  e^  are  two  Fetch  or  Assign  executions,  then  for  j*l,2,  the 
values  of  Src(e^,j)  in  and  of  Src^.j)  in  are  the  same,  if  e^  and 
e.  are  each  a  Select,  Update,  or  Delete  execution,  with  V(Ent  (e.,2)) 

*  COj  1 

and  V(Ent  (e.,2))  the  same,  then  the  values  of  Src(e, ,2)  in  oj,  and  of 
u>2  *  XX 

Srcte^.Z)  in  ^  are  the  same,  and  if  e^  and  e^  are  each  an  Update  or 
Delete  execution,  the  values  of  Src(e^,l)  in  co^  and  SrcCe^^l)  in  are 
the  same  [(6)4(5)].  Therefore,  the  pair  consisting  of  and  ^  satisfies 
the  Initial  Structure  Constraint  [ (l)+(4)+Const.  5.1-5]. 

(7)  Assume  e^  and  e2  are  two  First  executions  or  two  Next  executions  with 
V(Ent  (e.,2))  -  V(Ent  (e.,2))  -  s.  Then,  for  1*1,2,  for  j*l,2, 

(0^  *  COj  ■ 

the  value  of  Src(e^,J)  in  co^  depends  only  on  s  and  on  the  set 
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of  selectors,  defined  by  ■  (S*-S^)US®f  where 
S®  ■  {s€Z|  3m:  (s,m)  SSM^n^)  } 

sj  -  {s€Z|  BDelete  D±:  e^R^)  in  ^  A  8  •  VCEnt^  0^,2))} 

and  «  {s€Z|  3Update  U^  e^R^)  in  ^  A  s  «  V(Ent^ 

(l)+(3)+(4)+Lemma  5.3-4 

^pl,col^p^2,c°2^  **  ®i  “  ®2  ei  *n  bbe  reac^  of  an  Update  (Delete) 

execution  with  selector  input  s  in  co^  iff  e^  is  in  the  reach  of  an  Update 

b  b  c  c 

(Delete)  execution  with  selector  input  s  in  co^  =»  and  [(6)]. 

Hence  (p^,co^)p(p2>^2^  aod  is  in  the  reach  of  an  Update  (Delete) 

execution  with  selector  input  s  in  co^  iff  e2  is  in  the  reach  of  an  Update 

(Delete)  execution  with  selector  input  s  =»  ■  S2  [(6)]  =»  for  j«l,2, 

the  values  .of  Src(e^,j)  in  co^  and  Src(e2>j)  in  co ^  are  the  same  1(6)]. 
Therefore,  the  pair  consisting  of  co^  and  co^  satisfies  the  First/Next 
Output  Constraint  [(l)+(4)4Const.  5.1-6], 

A 

Lemma  5.3-11  Let  S ^  and  be  any  two  equal  initial  standard  states  for 

and  $2  be  any  two  halted  firing  sequences 
starting  in  and  8^  respectively.  Let  co^  ■  •n(S^,2^)  and  ■  "n  (^2*^2^  * 
and  assume  that  these  are  computations  for  Int(P).  Let  and  02  be  any 
two  causal  computations  for  Int(P)  and  let  p  be  the  equal  pointer  relation 
defined  from  Int(P) .  If  given  Int(P) , 

(1)  for  i«l,2,  for  any  structure  operation  execution  e,  e  is  initiated  in 
a^e  is  initiated  in  co  ,  for  every  integer  j,  if  there  is  an  entry 
Ent  (e,J)  in  a,,  then  there  is  an  Ent  (e,j)  in  co,  with  the  same 

Ctj  1  COj  1 

value,  and  if  there  is  an  entry  in  whose  transfer  has  source 


the  same  L^g  program  P  and  let  S2^ 
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Src(e,j),  then  there  is  an  entry  in  with  the  same  value  whose 
transfer  has  source  Src(e,j), 

(2)  for  i**l,2,  for  every  structure  operation  execution  e  initiated  in 

and  any  Assign,  Update,  or  Delete  execution  A,  e(R(A)  in  a±  iff 
e€R(A)  in  and 

(3)  for  any  pointers  Pl  and  p2,  (p1,a1>p(p2,a2)  -  (p1,w1)p(p2,w2) , 

then  dj  satisfies  the  Atomic  Output,  Structure  Output,  and  Unique  Pointer 
Generation  Constraints,  and  the  pair  consisting  of  and  a2  satisfies  the 
Initial  Structure  and  the  First/Next  Output  Constraints. 

Proof; 

(A)  For  i*l,2,  satisfies  the  Atomic  Output  and  Structure  Output 

Constraints  given  Int(P)  t.mm.5.  5.3-3 

For  each  Fetch,  Assign,  Select,  Update,  or  Delete  execution  e  initiated 

in  and  any  Assign,  Update,  or  Delete  execution  A,  e€R(A)  in  *» 

e€R(A)  in  co^  [(2)]  A  e  is  a  Fetch,  Assign,  Select,  Update,  or  Delete 

execution  initiated  in  « . ,  and  for  j-1,2,  if  there  is  an  entry  Ent  (A,J) 

ai 

then  there  is  an  entry  Ent  (A,j)  and  V(Ent  (A,j))  «  V(Ent  (A,j))  [(1)] 

A  for  k*l , 2 ,  the  value  of  Src(e,k)  in  co^  (if  any)  depends  on  the  actions 

of  A  and  e  and  possibly  on  V(Ent  (A,2))  and  V(Ent  (A, 3)),  as  in  the 

Constraints  [(4)+Def.  4.2-6+Consts.  5. 1-3+5. 1-4]  «•  for  k-1,2,  the  value 

of  Src(e,k)  in  (if  any)  depends  on  the  actions  of  A  and  e  and  possibly 

on  V(Ent  (A, 2))  and  V(Ent  (A, 3))  as  in  the  Constraints  [(1)+Def.  4.2-6]. 
ai  ai 

Tharefore,  satisfies  the  Atomic  Output  and  Structure  Output  Constraints 
given  Int(P) . 

(5)  co^  satisfies  the  Unique  Pointer  Generation  Constraint  given 
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Int(P)  -  (St,  /, IE)  Lemma  5.3-6 

Let  C  be  any  Copy  execution  initiated  in  a^,  and  let  p  be  the  value  of 
its  output  entries  in  (if  any) .  Then  does  not  satisfy  the  Unique 
Pointer  Generation  Constraint  =»  there  is  an  execution  e^C  whose  output 
entries  have  value  p  in  and  e  either  is  in  IE,  is  a  Copy  execution,  or 
is  a  Select  execution  not  in  a  reach  in  [Const.  5.1-7]  =»  C  and  e  have 
output  entries  of  value  p  in  [(1)]  A  by  causality,  e  is  initiated  in 
[Def.  4.2-7]  =»  either  eflE,  e  is  a  Copy  execution  not  equal  to  C,  or 
e  is  a  Select  execution  not  in  a  reach  in  [(2)]  =»  does  not  satisfy 
the  Unique  Pointer  Generation  Constraint  [Const.  5.1-7].  Therefore, 
does  satisfy  that  Constraint  given  Int(P)  [(5)]. 

(6)  The  pair  <a2  satisfies  the  Initial  Structure  and  First/Next 

Output  Constraints  given  Int(P)  Lemma  5.3-5 

(7)  For  i=l,2,  let  p^  and  Pi+2  be  two  pointers  such  that  neither  is  the 

value  in  of  an  output  entry  of  a  Copy  execution.  Then  for  any 

q>  DD^Cq.Pi)  =»  q  -  p±  and  dd^  (q»P1+2>  =»  q  *  pi+2  Def  •  s.i-9 

(8)  (p1,a1)p(p2,a2)  A  (p3,a1)p(p2,a2)  =>  p1>  P2>  and  p^  are  each  the 

value  of  the  output  entries  in  of  an  execution  e  which  either 

is  in  IE  or  is  a  Select  execution  not  in  a  reach  in 

(7)+Defs.  5.1-10+4.2-6 

(9)  A  (p^i(o^) p(p2,co2)  A  (p3 jCo^) p(p2 ,6>2)  (3) 

=>  pj,  p^»  and  p^  are  each  the  value  of  the  output  entries  in  co^  of  an 
execution  e  which  either  is  in  IE  or  is  a  Select  execution  not  in  a  reach 
(since  e  is  initiated  in  a^»  by  causality  [Def.  4.2-7])  [(1)+(2)J  =»  none 
of  p^,  p^»  or  p^  is  the  value  of  the  output  entries  of  a  Copy  execution 


in  or  co2  [(5)+Const.  5.1-7] 


(10)  Pt  •  P3 
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(9)+(6)+Conat.  5.1-5 


By  symmetry, 

(11)  (p1,a1)p(p2,a2)  A  (p1,a1)p(p^,a2)  -  p2  •  p^ 

(12)  Let  e^  and  *2  be  any  two  Fateh  or  two  Assign  axacutions  Initiated  in 

it2  and  «2  respectively  with  pointer  Inputs  p^  and  p2  such  that 

(Pl’al^p^P2’a2^  *  T''*n  *1  >nd  *2  #r*  tWO  p#tch  or  cvo  Assign 

executions  initiated  in  and  io2  respectively  with  pointer  inputs 

P3  and  p2  such  that  (p^u^ptpj.o^)  [(l)+(3)).  For  i-1,2,  e^^ 
does  not  fall  into  a  reach  in  ot^  «•  does  not  fall  into  a  reach  in 
1(2)1  *•  for  J-1,2,  the  values  of  Src(e^,j)  in  u>^  and  Src(e2,J) 
in  ,o2  are  the  same  r(6)+Const.  5.1-51  ••  the  values  of  Srcfsj,)) 
in  and  Src(e2,j)  in  «2  are  the  same  [(1)+Def.  4.2-61 

(13)  Let  ej  and  e2  ba  any  two  Select,  Update,  or  Delete  executions 

initiated  in  and  a2  with  equal  selector  Inputs  and  pointer  Inputs 
p^  and  p2  such  that  (p^n^) p(p2»n2)  .  Then  e^  and  e2  are  two  Select, 
Update,  or  Delete  executions  initiated  in  and  u>2  with  equal 
selector  Inputs  ((1)1  and  pointer  Inputs  p^  and  p2  such  that 
(Pj»Wj)p(p2,u)2)  I  ( 3)  J 

(14)  e^  does  not  fall  into  a  reach  in  -»‘e^  does  not  fall  into  a  reach 

in  u>j  l(13)+(2)]  «•  Src(e^,2)  has  the  same  value  in  v»^  as  Src(e2>2) 
has  in  u>2 ,  and  if  both  e^  and  e2  are  Update  or  Delete  executions, 
then  the  values  of  Src(e^,l)  in  and  Src(s2,l)  in  o>2  are  the 
seme  ( (13)+(6)+Conet.  5.1-51  *»  Src(Sj,2)  has  the  same  value  in 
as  Src(e2,2)  has  in  a2>  and  if  both  e^  and  e2  are  Update  or  Delete 
executions,  then  the  values  of  Src(ej,l)  in  and  Src(e2,l)  in  a2 
ere  the  seme  {(l)-fDef.  4.2-6] 


The  pair  a^,  satisfies  the  Initial  Structure  Constraint  [ (7)+(8)+(10)+ 
(ll)+(12)+(13)+Const .  5.1-5]. 

(15)  Let  e^  and  e^  be  two  First  executions,  or  two  Next  executions  with 

the  same  selector  inputs,  initiated  in  and  a^.  Then  e^  and  e^ 
are  two  First  executions,  or  two  Next  executions  with  equal 
selector  inputs,  initiated  in  and  (1) 

(16)  Their  pointer  inputs  are  and  p^  such  that  (p^,a1)p(p2,a2)  and 

for  each  selector  s,  is  in  the  reach  of  an  Update  (Delete) 
execution  with  selector  input  s  in  iff  e^  is  in  the  reach  of 
Update  (Delete)  execution  with  selector  input  8  in  °  their 
pointer  input  values  are  p^  and  p^  [(1)]  such  that  (p^.u^  )P(P2 
[(3)]  and  e^  is  in  the  reach  of  an  Update  (Delete)  execution  A^ 
with  selector  input  s  in  iff  e2  is  in  the  reach  of  an  Update 
(Delete)  execution  A2  in  a >2  [ (15)+(2)+(l) ]  »  for  j»l,2,  the  value 
of  Src(e^,j)  in  is  the  same  as  the  value  of  Src(e2»j)  in 
[ (15)+(6)+Const.  5.1-6]  =»  for  j-1,2,  the  values  of  Src(e^,j)  in 
and  Src(e2>J)  in  are  the  same  [(1)+Def.  4.2-6] 

Therefore,  the  pair  a^,  a2  satisfies  the  First/Next  Output  Constraint 
[15)+(16)+Const.  5.1-6]. 
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Append  lx  E 

Proofs  from  Chapter  7 

Theorem  7 . 1-1  Let  5  be  any  Initial  modified  state  from  any  L^g  program 
P,  and  let  S'  be  the  corresponding  initial  standard  state.  Let  2  be  any 
firing  sequence  starting  in  5  on  the  modified  interpreter.  Then 
A:  2  is  also  a  firing  sequence  starting  in  S'  on  the  standard 
interpreter,  and 
B:  S'  *2pS"2. 


Proof: 

Key  definitions:  Def.  2.1-5  -  standard  interpreter;  Def.  3.3-7  -  Standard 
functions;  Def.  3.3-8  -  Strip;  Def.  3.3-9  -  modified  interpreter; 

Def.  7.1-1  -  congruency  (p) 

Proof  is  by  induction  on  the  length  of  &. 

Basis:  |q|  -  0.  This  empty  sequence  is  a  firing  sequence  on  any  data¬ 
flow  interpreter  starting  in  any  initial  state  [Def.  2.3-1].  Furthermore, 
S'  *2  ■  S'  and  5*2  ■  5  [Def.  2.3-1],  so  since  Q  is  empty  in  an  initial 
state,  5' *2p5-2  [Def s.  3. 3-5+7. 1-1] .  Hence  A  and  B. 

Induction  step:  Assume  A  and  B  are  true  for  an  firing  sequence  of  length 
n,  n  >  0,  and  consider  2<p>  starting  in  5,  of  length  o+l. 

(1)  Let  d  be  the  actor  in  P  of  which  the  last  firing  <p  is  a  firing.  Then 

d  is  enabled  in  5*2  Def.  2.3-1 

(2)  The  input  and  output  arcs  of  d  in  5*2  ere  configured  as  required 

for  enabling  per  Def.  2.1-4,  and  if  d  is  a  Select,  2p:  d€Q(p)  in 


5*2 


\ 


Def.  3.3-6 
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(3)  5' *2m5*2  ind.  hyp.  B 

(4)  If  d  is  a  gate,  then  its  control  input  in  s' *2  (being  non-pointer) 

is  the  same  as  in  S*2  (3) 

For  any  input  arc  b  of  d,  b  is  empty  in  S' *2  »  b  is  empty  in  5*2  [(3)] 

*»  d  is  a  merge  gate  with  a  true  (false)  control  input  in  5*2,  and  b  is 
the  F  (T)  input  arc  of  d  [(2)+Def.  2.1-4]  =»  d  is  a  merge  gate  with  a 
true  (false)  control  input  in5' *2,  and  b  is  the  F  (T)  input  arc  of  d  [(4)]. 
For  any  output  arc  b  of  d,  b  is  empty  in  5*2  [(2)+Def.  2.1-4]  *»  if  b  is 
not  empty  in  S' *2.  then  d  is  a  Select  and  3p:  d€Q(p)  in  5- 2  [(3)]  *» 

b  is  empty  in  S'  *2  [(2)].  Therefore,  d  is  enabled  in  5' *2  on  the 
standard  interpreter  [Def.  2.1-4],  so 

A:  2<p  is  a  firing  sequence  starting  in  S'  on  the  standard  interpreter 
[ (1)+Def .  2.3-1] 

(5)  Let  5*2  be  (1^,1^, and  let  Fire(5*2,d)  be  (r2,U2,Q2),  while 

S'  *2  is  (rj,»p  and  5’  -2tp  is  (r£,0’).  Let  I*8  be 
Standard^  (Str  ip  (I^.d) ,Uj) ,d) 

(6)  r2  ■  Standard  ((r^Oj,)  ,d)  and  -  Standard^ (rj,up,d)  (5) 

(7)  U2  -  Standardu((Strip(rl,d),U1),d)  (5) 

(8)  For  every  arc  b  in  P,  the  conditions  of  b  in  (r^,U|)  and  in 

(ri’Ul,Ql)  matc*1  to  witbin  withheld  outputs,  and  is  identical 
to  Ux  (3)+Def .  7.1-1 

(9)  Let  b  be  any  arc  in  P  which  is  neither  an  input  nor  output  arc  of 

d.  Then  b's  condition  in  r~  is  Identical  to  b's  condition  in  r 

2  8 

which  is  identical  to  b's  condition  in  Strip(r^.d)  [(5)]  which  is 
identical  to  b’s  condition  in  r^,  and  b's  condition  in  r2  is 
Identical  to  b's  condition  in  r|  ((6)]. 


(10)  If  b  Is  a  data  output  arc  of  a  Select  operator  S,  then  S/d  [(9)+ 

Def.  2.1-1]  A  Vp:  SfQ^p)  •*  tS«Q^(p)  v  S  ■  d],  ao  for  all  p, 

S€Q2(p)  iff  SfQ^p) 

(11)  For  any  arc  b  in  P  which  is  neither  an  input  nor  an  output  arc  of  d, 

the  conditions  of  b  in  Flre(^‘S,d)  and  in  natch  to  within 

withheld  outputs  [ (8)+(9)+(10)+(5)+Def .  7.1-1] 

(12)  Let  b  be  any  arc  which  is  an  input  arc  of  d  and  is  not  an  output  arc 

of  d.  Then  b  is  not  the  T  (F)  input  arc  of  a  merge  gate  d  with  a 

false  (true)  control  input  in  Strip(r^»d)  *»  b  is  not  the  T  (F) 

input  arc  of  a  merge  gate  d  with  a  false  (true)  control  input  in 
*  b  is  not  the  T  (F)  input  arc  of  a  merge  gate  d  with  a  false 
(true)  control  input  in  rj  [ (4)+(5) ]  >b  is  empty  in  [ (5) ]  and 
b  is  empty  in  r2  l  (5)+(6)  ]  -  b  is  empty  in  r2  and  in 

(13)  b  is  the  T  (F)  input  arc  of  a  marge  gate  which  has  a  false  (true) 

control  input  in  -  b's  condition  in  F^  matches  its  condition  in 
[(4)+(6)]  a  since  d  is  a  pi  actor,  b’s  condition  in  Stripd^.d) 
matches  that  in  and  d  is  a  merge  gate  which  has  a  false  (true) 
control  input  in  Strip(r^.d)  [Def.  2.2-4]  •  b's  condition  in  r# 
matches  b's  condition  in  t(5)]  •  since  r2  differs  from  r#  only 
in  the  conditions  of  d's  output  arcs,  b's  condition  in  r2  matches 
b's  condition  in  [(12)] 

(14)  b  is  a  data  output  arc  of  a  Select  operator  S  •  S/d  [(12)]  A  for 

all  p,  SfQ2(p)  iff  (SCQ^Cp)  V  S  ■  d],  so  for  all  p,  S€Q1(p)  iff 
SfQ2(p) 

(15)  b  is  a  data  output  arc  of  a  Select  operator  S  -  3p:  SCQ2(p)  • 

S€Q.(p)  [(14)]  •  b  is  empty  in  r.  and  has  a  token  of  value  p  in  r,' 
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[(8)]  =»  b  is  the  T  (F)  input  arc  of  a  merge  gate  d  with  a  false 
(true)  control  input  in  [ (ll)+(2)+Def .  2.1-4]  =»  b  is  empty  in 
r2  and  has  a  token  of  value  p  in  r2  [(13)1 

(16)  b  is  not  a  data  output  arc  of  a  Select  operator  S  such  that  3p: 

S€Q2(p)  a  b  is  not  a  data  output  arc  of  a  Select  operator  S  such 
that  3p:  S€Q^(p)  [(14)]  =»  either  b  is  empty  in  and  r^,  or  b 
has  tokens  of  non-pointer  value  v  in  and  r^»  or  b  has  a  token 
of  pointer  value  p  in  and  a  token  of  value  (p,R)  or  (p,W)  in 
[ (8) ]  =»  either  [b  is  the  T  (F)  input  arc  of  a  merge  gate  d  with  a 
false  (true)  contol  input  in  and  either  b  is  empty  in  r2  aijd 
r2,  b  has  a  token  of  non-pointer  value  v  in  r2  and  r2>  or  b  has  a 
token  of  value  p  in  r2  and  one  of  value  (p,R)  or  (p,W)  in  r2]  [(13)] 
or  [b  is  not  the  T  (F)  input  arc  of  a  merge  gate  d  with  a  false 
(true)  control  input  in  and  b  is  empty  in  r2  and  r2]  [(H)] 

(17)  For  any  input  arc  b  of  d  which  is  not  an  output  arc  of  d,  the 

conditions  of  b  in  Fire(S*£>,d)  and  S' ’Sty  match  to  within  withheld 
outputs  (15)+(16)+(8) 

For  any  output  arc  b  of  d,  there  are  two  cases  to  consider:  d  either  is 
or  is  not  a  structure  operator. 

Case  I:  d  is  not  a  structure  operator 

(18)  Since  d  is  not  a  Select,  b  is  empty  in  r2  iff  b  is  empty  in  [(5)] 

iff  d  is  a  T-  (F-)  gate  which  has  a  false  (true)  control  input  in 
Strip(r^.d)  [(5)]  iff  d  is  a  T-  (F-)  gate  which  has  a  false  (true) 
control  input  in  iff  d  is  a  T-  (F-)  gate  which  has  a  false  (true) 
control  input  in  r|  1(4)]  iff  b  is  empty  in  r2  [(6)] 

If  b  has  a  token  in  r2  and  there  are  two  sub-cases  to  consider. 


i 


r 
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Case  la:  d  is  a  pi  operator. 

Let  v  be  the  value  of  the  token  on  b  in  Tj.  Then  there  is  an  input 
arc  a  of  d  which  holds  a  token  of  value  v  in  that  is  removed  by  cp 
[Def.  2.2-4].  If  d  is  a  gate,  it  has  the  same  control  input  in  as  in 
F^,  and  since  d  is  enabled,  there  is  a  token  on  a  in  [(4)+(2)+Def .  2.1 
Def.  2.1-4].  The  value  of  that  token  is  v,  if  v  is  not  a  pointer,  or 
(v,R)  or  (v,W),  if  v  is  a  pointer  [(8)].  There  is  a  token  of  some  value 
v'  on  a  in  Strip(r^,d),  and  if  d  is  a  gate,  it  has  the  same  control 
input  in  Strlp(r^,d)  as  in  Thus  there  is  a  token  of  value  v'  on  b 
in  Tg  [(5)],  so  there  is  a  token  of  value  v,  if  v  is  not  a  pointer,  or 
(v,R)  or  (v,W) ,  if  v  is  a  pointer,  on  b  in  r2* 

Case  lb:  d  is  not  a  pi  actor  (or  a  structure  operator) 

The  value  of  the  token  on  b  in  r2  equals  the  value  of  the  token  on 
b  in  r  ,  which  depends  only  on  the  values  on  d's  input  arcs  in 
Strip(F^,d)  and  the  type  of  actor  d  is,  and  the  value  of  the  token  on  b 
in  r2  depends,  in  exactly  the  same  way,  on  the  values  on  d's  input  arcs 
in  rj  and  the  type  of  actor  d  is  [ (5)+(6) ] .  The  values  on  d's  input  arcs 
in  both  rx  and  r|  are  all  non-pointers,  as  are  the  values  on  b  in  r2  and 
?2  [Def.  2.2-5].  The  values  on  d’s  input  arcs  in  Strip(r^,d)  are  identical 
to  those  in  r^,  which  are  identical  to  those  in  rj  [ (8)+(2) ] .  Therefore, 
the  values  on  b  in  T2  and  r2  are  identical  non-pointers. 

In  either  case, 

(ID  If  d  is  not  a  structure  operator,  then  the  conditions  of  any  output 

arc  b  of  d  in  Flre(£‘Q,d)  and  S' match  to  within  withheld  outputs 
[ (18)+(5) ]  *nd  U2  -  ^  -  U’  -  Uj  [ (7)+(8)+(6) ] 


Case  II:  d  is  a  structure  operator 

(20)  and  the  token  on  b  in  rg  depend  only  on  U^,  the  values  on  d's 

Input  arcs  in  Strip (F^.d) ,  and  the  pointer-node  pair  (ptn)  in  cp, 
if  d  is  a  Copy.  and  the  token  on  b  in  depend  in  exactly  the 

same  way  on  U^,  the  values  on  d's  input  arcs  in  r|»  and  on  (p,n), 
if  d  is  a  Copy  (6)+(7)+Def.  2.3-1 

There  are  tokens  on  all  of  d's  input  arcs  in  [(2)+Def.  2.1-4],  so 
the  values  on  d's  input  arcs  in  F^  and  F^  differ  by  at  most  an  "R"  or 
"W"  tag  1(8)].  Thus,  the  values  on  d's  input  arcs  in  Strip(F^,d)  and 
r|  are  identical.  Therefore,  is  identical  to  U^,  and  b  has  identical 
tokens  in  r  and  T~ •  b  is  not  any  output  arc  of  a  Copy  or  a  data  output 

8  4 

arc  of  a  Select  =»  the  tokens  on  b  in  T  and  r_  have  identical  non-pointer 

8  i 

values  =»  the  tokens  on  b  in  and  have  identical  non-pointer  values, 

b  is  any  Copy  output  arc  =>  the  tokens  on  b  in  T  and  r'  both  have  as  value 

8  4 

a  pointer  p  [Def.  2.3-1]  =»  the  token  on  b  in  V2  has  value  (p,R)  or  (p,W) 
and  the  token  on  b  in  has  value  p.  b  is  a  data-output  arc  of  a  Select 
d  -  the  tokens  on  b  in  T  and  Ti  both  have  a  pointer  value  q  [(5)+(6)] 

8  4 

»  b  is  empty  in  ?2  and  d^Cp)  •  Therefore, 

(21)  If  d  is  a  structure  operator,  then  Uj  *8  identical  to  U^,  and  the 

conditions  of  b  in  Fire(S*S2,d)  and  S' ’S< p  match  to  within  withheld 
outputs  (8) 

In  either  Case  I  or  Case  II,  then, 

(22)  U2  is  identical  to  and  the  conditions  of  b  in  Fire(S*S2,d)  and 

S'  ’2<p  match  to  within  withheld  outputs  (19)+(21) 

(23)  For  any  arc  b  in  P,  the  conditions  of  b  in  Fire(S’2,d)  and  S' '8<p 

match  to  within  withheld  outputs,  and  Uj  is  identical  to  t(lD+ 


4 

I 
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CL7H(22)] 

(24)  Let  S’Qtp  -  Release t(T2  ,U2  .Q^  )  be  (r3,03,Q3)  [(5)].  Then  U3  is 

identical  to  which  is  identical  to  (23) 

(25)  For  any  arc  b  in  P,  b  is  the  data  output  arc  of  a  Select  S  and  3p: 

S€Q3(p)  •  b  is  an  output  arc  of  a  Select  S  and  3p:  S€Qg(p)  •  b  is 
empty  in  ^  and  there  is  a  token  of  value  p  on  b  in  [(23)+(5)] 

«•  b  is  empty  in  r3  and  there  is  a  token  of  value  p  on  b  in  r^. 

(26)  b  is  not  the  data  output  arc  of  a  Select  S  such  that  3p:  S€Q3(p)  =• 

either  b  is  not  the  data  output  arc  of  a  Select  S  such  that  3p: 

SfQ^i  (p) »  implying  that  the  condition  of  b  in  ?3  is  identical  to 
that  in  r2,  or  b  is  the  data  output  arc  of  a  Select  S  such  that 
3p:  S€Q2(p)>  which  Implies  that  b  has  a  token  of  value  (p,R)  in 
r3  ■»  either  [b  is  empty  in  I*3  and  F2  or  b  has  a  token  of  non¬ 
pointer  value  in  T3  and  T2  or  b  has  a  token  of  pointer  value  p  in 
r’  and  a  token  of  value  (p,R)  or  (p,W)  in  I^]  [(23)]  or  [3p:  b  has 
a  token  of  value  p  in  r2  and  a  token  of  value  (p,R)  in  r3]  [(23)]. 
Therefore,  for  every  arc  b,  the  conditions  of  b  in  S'Qtp  and  S'  -Stp  match 
to  within  withheld  outputs  [(25)+(26)],  so  from  this  and  [(24)], 

S'QtpvS'  *S2(p . 

A 

Theorem  7.1-3  Let  P  be  any  L^g  program.  For  any  initial  modified  state 
S  for  P,  let  S'  be  the  corresponding  initial  standard  state  and  let  S  be 
any  halted  firing  sequence  starting  in  S.  Then  there  is  a  halted  firing 
sequence  S'  which  has  Q  as  a  prefix  such  that  rj(S',8'>  is  SOE-inclusive 
of  T)(S,S)  . 
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Proof:  2  is  a  firing  sequence  starting  in  S'  and  5'*ap5*a  [Thra.  7.1-1], 
so 

(1)  a  is  a  prefix  of  a  halted  firing  sequence  a'  starting  in  S' 

Def.  2.3-1 

(2)  Let  co  ■  T)(S,a)  and  co'  m  ’r}(S' , 2').  Let  (Int,J)  be  the  expansion  for 

P  from  EEd^gtM)  and  let  (Int'.J1)  be  the  expansion  for  P  from 
EEd'gg.S).  Then  Int'  “  Int  "  Int<p)  Def.  4.3-2 

(3)  Let  Int  «■  (St,  /,IE)  .  Then  co  and  co’  are  both  causal  computations 

for  Int  (2)+Lemma  4.3-2 

(4)  co€j^  g,  co'Cj^,  g,,  $(co)  is  the  reduction  of  2,  and  $(m')  is  the 

reduction  of  2'  (2)+Lenma  4.3-3 

(5)  Let  e  -  Ex(d,k)  be  any  execution  in  mhlch  /(d)  is  a  structure 

operation.  Then  d€St-DL  Def.  4.3-2 

(6)  e  is  initiated  in  co  =»  there  are  at  least  k  firings  of  d  in  2 

[ (2)-(5)+Thm.  4.3-2]  =»  there  are  at  least  k  firings  of  d  in  2'  [(1)] 
=*  e  is  initiated  in  co'  [(l)-(5)+Thm.  4.3-2] 

(7)  Let  NDE  be  the  set  of  executions  NDE  *  (Ex(d,k) |  d€St-DL}.  Then 

for  any  e€NDE  which  is  initiated  in  co,  the  initiating  entry  to  e 
is  preceded  in  both  co  and  co'  by  the  initiating  entries  to  exactly 
k-1  other  executions  of  d  (3)+(l)+(4)+(6)+Cor.  4.3-1 

Since  the  reduction  of  a  prefix  of  2'  is  a  prefix  of  the  reduction  of  2' 
[Def.  2.4-5],  $(co)  is  a  prefix  of  $(co')  [(4)+(l)],  so 

(8)  For  any  n  5  |$(co)  | ,  the  nth  execution  from  NDE  to  initiate  in  co  is 

Ex(d,k)  iff  the  nC^  firing  in  $(co)  is  the  k^1  firing  of  d  t(7)+ 

Def.  4.3-4]  iff  the  n^  firing  in  $(co')  is  the  k**1  firing  of  d  iff 
the  nth  execution  from  NDE  to  initiate  in  co'  is  Ex(d,k)  [(7)+ 
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Def.  4.3-4] 

(9)  Let  e  and  e'  be  any  two  distinct  executions  of  structure  operations 
such  that  e  is  initiated  in  w.  Then  both  e  and  e'  are  in  NDE 

(7)+Def.  4.3-2 

There  is  an  n  £  j$(o>)  |  such  that  e  is  the  n**1  execution  from  NDE  to 
initiate  in  both  co  and  co'  [(9)+(8)],  so 

(10)  e'  initiates  before  e  in  go  iff  e  is  the  nth  execution  from  NDE  to 

initiate  in  co,  for  n  £  |$(co)  |,  e'  is  the  m**1,  and  m  <  n  iff  e  is 
the  n^1  execution  from  NDE  to  initiate  in  co’ ,  n  £  |$(co)|,  e'  is 
the  m**1,  and  m  <  n  [(8)]  iff  e'  initiates  before  e  in  co' 

(11)  Let  C  ■  Ex(d,k)  be  any  Copy  execution  initiated  in  co.  Then  there 

is  one  input  entry  to  e  in  eo  [Defs.  4. 2-6+4. 3-1+2. 2-5 ] ,  and  there 
are  at  least  k  firings  of  d  in  3  [(9)+(7)+Lemna  4.3-1],  so  C  has 
output  entries  in  co  ■  ri(S,8)  [(2)+Lenma  7.1-2] 

(12)  Let  6cp  be  any  prefix  of  8.  Then  6  and  6cp  are  both  firing  sequences 

starting  in  S  Def.  2.3-1 

By  Thm.  7.1-1,  then,  6  and  8cp  are  both  firing  sequences  starting  in  5', 
and  S' *8m5*0,  so 

(13)  for  each  arc  b  in  P  which  holds  a  token  in  S' 9,  b  holds  a  token  in 

S' *0,  and  the  value  of  the  token  on  b  in  5**6  is  v  iff  the  value  of 
the  token  on  b  in  S’6  is  v,  if  v  is  not  a  pointer,  or  (v,R)  or 
(v, W),  if  v  is  a  pointer  [Def.  7.1-1],  and 

(14)  if  cp  is  a  firing  of  a  gate  actor  d,  then  d  is  enabled  in  both  5*8 

and  S' 'B  [(12)+Def.  2.3-1),  so  it  has  control  tokens  in  both 
states  [Def.  2.1-4]  whose  values  must  be  the  same 
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(15)  For  any  prefix  i  of  S,  A  is  a  firing  sequence  starting  in  S  and 

in  S',  and  5'*AnS*A  [Def.  2.3-1+Thm.  7.1-1],  Thus,  for  any  arc  b 
of  P,  b  holds  a  token  in  S'  A  =>  b  holds  a  token  in  s' ‘ A  [Def.  7.1-1] 
so  Source(b,5' , A)  11  Source(b,5» A)  [Lemma  7.1-3] 

(16)  Let  e  -  Ex(d,k)  be  any  execution  such  that  /(d) ^OA  and  there  are 

input  entries  to  e  in  go.  Then  In(/(d))  >  0  (3)+Def.  4.2-6 

/(d)#IG,  so  e^IE  and  d€St-DL  [(3)+Defs.  4 .3-1+4. 3-2] .  Hence, 

(17)  there  is  a  prefix  0<p  of  2  in  which  <p  is  the  k^1  firing  of  d 

(2)+Lemma  4.3-1 

(18)  6ip  is  a  prefix  of  S2 '  in  which  <p  is  the  k^  firing  of  d  (17)+(1) 

If  d  is  a  gate,  it  has  the  same  control  input  in  both  S' 0  and  5' *6  [(17)+ 
(12)+(14)],  so  for  each  input  arc  b  of  d,  there  is  a  token  on  b  in  5*6 
but  not  in  5*6cp  iff  there  is  a  token  on  b  in  5’ *6  but  not  in  5'*6<p 

[Def.  2.1-5],  Therefore, 

(19)  For  any  integer  j,  source  s,  and  value  v,  there  is  an  entry  f  in  co 

such  that  V(f )  -  v  and  T(f)  has  source  s  and  destination  Dst(e,j) 
iff,  in  going  from  5*6  to  5*6cp,  a  token  of  value  v,  if  v  is  not  a 
pointer,  or  (v,R)  or  (v,W),  if  v  is  a  pointer,  is  removed  from  b, 
the  number-j  input  arc  of  d,  and  s  ■  Source(b,5,6)  [(17)+Alg.  4.3-1] 
iff  in  going  from  5**6  to  S'  *6<p,  a  token  of  value  v  is  removed  from 
b  [(13)]  and  s  -  Source (b, 5' ,6)  [(15)]  iff  there  is  an  entry  g  in 
co'  such  that  V(g)  •  v  and  T(g)  has  source  s  and  destination 
Dst(e,J)  [(18)+(16)+Alg.  4.3-1] 

(20)  Let  e  ■  Ex(d,k)  be  any  non-pi  execution.  Then  /(d)*0A  [Def.  5.1-2], 

so  for  any  J,  if  there  is  an  entry  Ent^(e,j)  in  co,  then  there  is  an 
entry  Entu,(e,J)  in  with  the  same  value  [(16)+(19)] 
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(21)  Let  £  be  any  entty  in  to.  Let  V(f)  be  v  and  let  T(f)  be 

(s,Dst(Ex(d,k) ,j))  where  s  -  Src(e,i).  Then  Ex(d,k)€lE  «*  /(d)  «  IG 

*»  In(/(d))  •  0  [Defs.  4. 3-2+4. 3-1 ] .  Since  Ex(d,k)  has  an  input 

entry  in  a,  In(/(d))  >  0  [ (3)+Def .  4.2-6]  =»Ex(d,k)/(IE.  Therefore, 

I 

(22)  if  /(d) fOA,  then  there  is  an  entry  g  in  a*  such  that  V(g)  ■  v  and 

T(g)  has  source  s  [(16)+(19)] 

(23)  /(d)  *  OA  ■»  there  is  a  token  on  an  arc  b  in  S'Q  whose  value  is  v,  if 
v  is  not  a  pointer,  or  (v,R)  or  (v,W)  if  v  is  a  pointer,  and 

s  -  Source(b,5,2)  [(21)+Alg.  4.3-1]  »  there  is  a  token  of  value  v 
on  b  in  S' *2  [(13)]  «•  that  token  either  is  or  is  not  removed  by  a 
firing  in  2'  which  is  not  in  2  [(1)] 

(24)  Given  any  arc  b,  let  S  be  any  prefix  of  2'  longer  than  2  such  that 

every  firing  in  6  which  removes  a  token  from  b  is  in  2.  Then  for 
any  prefix  A  of  2*  such  that  |2|  2  Ja|  2  { 9 [ »  there  is  a  token  on 
b  in  £'*A  (23) 

b  is  in  the  number-1  group  of  output  arcs  of  actor  d'  *>  for  no  A  such 
that  ]2|  2  | A}  5  } 6 |  is  d'  enabled  in  S' ‘ A  [(24)+Def.  2.1-4]  «•  there  are 
the  same  number  of  firings  of  d*  in  6  as  in  2  [Def.  2.3-1].  Hence, 

(25)  Source(b,5' ,8)  ■  Source(b,5,2)  ■  s  (24)+Def.  2.3-1+Lemma  7.1-3 

(26)  There  is  a  token  of  value  v  on  b  in  S' *2  which  is  removed  by  a 

subsequent  firing  in  2*  *»  there  is  a  prefix  69  of  s'  longer  than  2 
such  that  every  firing  in  8  which  removes  a  token  from  b  is  in  2 
and  <p  removes  a  token  from  b  «»  there  is  cm  entry  g  in  a>'  such  that 
V(g)  ■  v  and  T(g)  has  source  Source(b,5* .8)  "  s(24)+(25)4Alg.  4.3-1 

(27)  There  is  a  token  of  value  v  on  b  in  5*  *2  which  is  not  removed  by  a 

subsequent  firing  *•  there  is  a  token  of  value  v  on  b  in  s' ‘2* »  2’ 
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ls  halted,  and  S'  is  a  prefix  of  Q '  longer  than  Q  in  which  every 
firing  which  removes  a  token  from  b  is  in  2  [(1)]  9  there  is  an 
entry  g  in  co'  such  that  V(g)  =  v  and  T(g)  has  source  Source (b, S' ,2' ) 
which  is  s  (24)+(25)+Alg.  4.3-1 

Therefore,  for  every  entry  f  in  co,  there  is  an  entry  g  in  go'  whose  value 
is  the  same  and  whose  transfer  has  the  same  source  [ (21)+(22)+(23)+(26)+ 
(27)],  so  <o'  is  SOE-inclusive  of  co  [(5)+(6)+(9)+(10)+(ll)+(20)+Def •  5.2-8] 

A 

Theorem  7.1-4  EE(Lp,M)  is  a  S true ture-as -Storage  model. 

Proof : 

(1)  EE(Ljj,M)  *  (V,  L,  A,  In,  E)  is  an  entry-execution  model  [Thm.  4.3-1] 

There  is  a  distinct  subset  of  V  containing  pointers  [Defs.  2.2-1+ 
4.3-1].  The  action  domain  A  contains  the  eight  actions,  and  In 
assigns  the  input  arities:  Fetch  (1),  First  (1),  Next  (2),  Select 

(2),  Copy  (1),  Assign  (2),  Update  (3),  and  Delete  (2)  [Defs.  3.3-12+ 
2. 2-3+4. 3-1]. 

(2)  Let  (Int,J)  be  any  expansion  in  E,  where  Int  *  (St,/, IE).  Then  there 

is  an  Lp  program  P  such  that  this  pair  is  an  expansion  of  P 

Def.  4.3-1 

(3)  Let  J  be  any  job  in  J.  Then  J  is  a  job  for  Int  [ (l)+(2)+Def .  4.2-3]. 

Int  *  Int(P),  and  there  is  an  equivalence  class  E  of  Initial 

modified  states  for  P  such  that  J  ■  J_  [(2)+Def.  4.3-2]. 

£ 

(4)  P  is  an  Lbs  program  (2)+Def.  3.3-12 

(5)  Let  5^  and  S ^  be  any  two  initial  states  in  E,  and  let  and 


I 
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any  two  halted  firing  sequences  a  tar  tins  In  ^  and  *°r  1-1  *2, 

lat  k<7^  be  the  Initial  atandard  atata  for  P  correapondlng  to  ,«?  . 
than  there  la  a  halted  firing  sequence  a*  starting  in  euch  that 
uC^.Uj)  *•  SOK-lnclualve  of  tjC^.sIj)  ](4)+Thm.  7.1-3].  Lat 
Oj  -  ti(5i,ai)  and  wj  - 

(6)  u\^  and  era  both  caueal  computation*  for  Int(P)  (5)+Lemma  4.3-2 

(7)  «oj  aatlaflae  the  Input/Output  Type  Constraint  ((3)+Leaa«a  3.3-1],  the 

Structure  Output  Constraint  ((5)+l.emma  5.3-3),  and  the  Unique 
Pointer  Generation  Constraint  [(5)+l, earns  5.3-6],  all  given  tnt(P) 
For  any  pointer  p  which  Is  the  value  in  of  the  output  entries  of  a 
Copy  execution  C,  the  first  entry  in  with  value  p  Is  one  of  those 
output  entries  of  C  I (6)+(7)+Le*ma  5.3-8],  so 

(8)  For  any  structure  operation  execution  e  initiated  In  and  for  any 

Assign,  Update,  or  Delete  execution  A,  efR(A)  In  «»  <*  afR(A)  In 

(6)+(5)+Lamma  5.2-6 

(0)  io^  satisfies  the  tnput/Output  Type,  Structure  Output,  and  Unique 

Pointer  Generation  Constraints,  given  Tnt(P) (3)-t-(6)-f(7)-fLeana  5.3-9 

(10)  For  any  pointer  p  which  la  the  value  In  of  the  output  entries  of 

a  Copy  execution  C,  the  first  entry  In  with  value  p  is  one  of 

those  output  entries  of  C  (6)+(9)+Lemma  5.3-8 


(11)  Let  p.  be  any  computation  in  J,  Then  p  Is  causal  (Def.  4.3-5], 

*  1  1  *  *  * 
and  p^  la  In  J^,  so  it  la  a  computation  for  Int  •  lnt(P)  ((3)  + 


Def a.  4. 3-4+4, 2-3] 


(12)  la  SOK-lnclualve  of  p^  (3)+i4)+Leana  5.3-7 

(13)  For  any  structure  operation  execution  a  Initiated  In  p^  and  any 

Assign,  Update,  or  Delete  execution  A,  efg(A)  in  p4  -»  etR(A)  in 
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[(6)+(ll)+(12)+(10)+Lemaa  5.2-6]  A  e  is  initiated  in  ^  [(12)+ 

Def.  5.2-8]  =»  e€R(A)  in  [(8)] 

(14)  p^  satisfies  the  Input/Output  Type,  Structure  Output,  and  Unique 

Pointer  Generation  Constraints,  given  Int(P) 

(6)+(ll)+(12)+(10)+Le*s>a  5.3-9 

(15)  For  any  pointer  p,  p  is  the  value  of  the  output  entries  in  p^  of  a 

Copy  execution  C  =»  the  first  entry  in  p^  with  value  p  is  one  of 
those  output  entries  of  C  (ll)+(14)+Lenma  5.3-8 

(16)  Let  n^  be  any  prefix  of  p^.  Let  yf  be  any  prefix  of  and  let  e 

be  the  execution  of  which  f  is  an  output  entry.  Then  yf  is  a 
prefix  of  p^,  so  e  is  Initiated  in  y  [(ll)+Def.  4.2-7].  I.e., 

(17)  is  causal 

(18)  is  in  J,  and  so  a^,  p4,  and  are  all  computations  for  Int(P) 

(16)+(ll)+(6)+Defs .  4. 3-3+4. 2-3 

(19)  For  any  structure  operation  execution  e  **  Ex(d,k)  initiated  in 

and  any  Assign,  Update,  or  Delete  execution  A,  e€R(A)  in  p^  iff 
e€R(A)  in  only  if  A  is  initiated  in  a^  [(17)+(11)+(18)+(16)+ 
(15)+Lemma  5.2-6]  A  there  are  In(/(d))  input  entries  to  e  in  a^, 
hence  in  p^,  so  e  is  initiated  in  p  *  [Def.  4.2-6] 

(20)  e€R(A)  in  coj  iff  e€R(A)  in  a£  only  if  A  is  initiated  in  a£  (19)+(13) 
Let  f  be  any  entry  in  a^.  Then  f  is  in  p^  [(16)].  Let  T(f)  be 
(Src(Ex(d,k) , j) ,  Dst(Ex(d' ,k') ,j)) .  Then  Constraint  5.1-1  dictates,  one 
or  two  times,  what  the  type  of  V(f)  should  be,  once  based  on  /(d)  and  1, 
and  again  based  on  /( d’)  and  j.  Both  of  the  types  so  dictated  match  the 
type  of  V(f)  (since  f  is  in  p^  [(14)]).  Therefore, 

(21)  dj,  satisfies  the  Input/Output  Type  Constraint 
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(22)  J  satisfies  the  Pointer  Transparency  Constraint  Lama  7.1-1 

(23)  Let  e  be  any  structure  operation  execution.  If  e  is  initiated  in  a^, 

the  e  is  initiated  in  p^  [(19)],  hence  in  [(12)+Def.  5.2-8]. 

For  every  Integer  j,  there  is  an  entry  Ent  (e,j)  in  a.  *»  there  is 

ai  1 

an  entry  EntQ  (e,j)  in  6.  with  the  sane  value  [(16)]  =»  there  is  an 

i 

entry  Ent  (e,j)  in  co.  with  the  sane  value  [(12)+Def.  5.2-8]  ■»  there 
co^  1 

is  an  entry  Ent^te.J)  in  co^  with  the  same  value  [(5)+Def.  5.2-8], 
There  is  an  entry  in  whose  transfer  has  source  Src(e,j)  only  if 

there  is  an  entry  in  co^  with  the  same  value  whose  transfer  has 

source  Src(e,J)  [(16)+(12)+Def .  5.2-8]  only  if  there  is  an  entry  in 
co*  with  the  same  value  whose  transfer  has  source  Src(e,j)  [(5)+ 

Def.  5.2-8] 

(24)  For  any  two  pointers  p±  and  p2,  ( p1,a1>p(p2,a2 )  »  (P1,P1)p(P2»P2) 

[ (17)+(11)+(18)+(16)+(19)+Leama  5.3.10]  -  (p^Mp^)  [(11)+ 
(6)+(18)+(12)+(20)+Lenma  5.3-10]  -  (p1»co[)p(p2,aJ)  [(6)+(5)+(8)+ 
Lemma  5.3-10] 

Since  S*  and  are  equal  initial  standard  states  for  LgS  program  P 
[(4)+(5)+Thm.  7.1-2],  satisfies  the  Atomic  Output,  Structure  Output, 
and  Unique  Pointer  Generation  Constraints,  and  and  a2  as  a  pair 
satisfies  the  Initial  Structure  and  First/Next  Output  Constraints 
[(5)+(6)+(17)+(23)+(24)+Lenma  5.3-11].  Therefore,  every  computation  in  Jg 
satisfies  the  Input/Output  Type,  Atomic  Output,  Structure  Output,  and 
Unique  Pointer  Generation  Constraints,  every  pair  of  computations  satisfies 
the  Initial  Structure  and  First/Next  Output  Constraints,  and  Jg  satisfies 
the  Pointer  Transparency  Constraint  [(16)+(ll)+(5)+(21)+(22)+Def .  4.3-3], 


5.  -  ... 


-551- 

From  this  and  (l)-(3),  EE(L^tH)  is  a  Structure-as-Storage  model  iJ«f.  5.1- 
[Def.  5.1-1]. 

Q.E.D. 

Lesma  7,2-3  For  any  equivalence  class  E  of  initial  modified  states  for 
an  Lgg  program  P,  let  J,  be  J£.  Let  Int(P)  be  (St,  /, IE).  Assume  there  are 
two  computations  agf  and  afg  in  J  such  that  T(f)  -  T(f) ,  T(g)  ■  T(g) ,  and 
f  and  g  initiate  distinct  executions  e^  “  Ex(d^,k^)  and  e^  -  Ex(d2,k2)  in 
agf,  where  d^  and  d^  are  in  St-DL.  Let  5  and  Q  (S'  and  &')  be  the  state 
in  E  and  halted  firing  sequence  starting  in  that  state  such  that  agf  (afg) 

is  a  prefix  of  a  computation  in  J  _  ( J  ,  , ) .  Then  there  are  prefixes 

o  »*«  S  »Sd 

9^2^ 2  of  ^  and  G'cpivi  °f  2*,  whose  reductions  are  $>(agf )  and  $(afi),  such 
that  0'  equals  8  and  for  1*1,2,  <p^  (tp is  the  k^1*  firing  of  d^. 
Furthermore,  <p ^  and  <p2  potentially  interfere  in  Oq>^p1  iff  Ent(e1»l)  and 
Ent(e2,l)  are  in  the  same  access  history,  and  e^  is  in  R(e2) ,  in  agf. 

Proof :  There  is  an  expansion  (Int,J)  in  EE(LB<,,M)  such  that  Int  ■  Int(P) 

and  J ij  [Defs.  4. 3-2+4. 3-1] .  Hence,  J  ■  J  is  a  job  for  Int(P) 

E 

[Thm.  4.3-1+Def.  4.2-2],  so 

(1)  agf  and  afg  are  computations  for  Int(P)  Def.  4.2-3 

(2)  Let  0  (0')  be  the  computation  in  J  (J  ,  f)  of  which  agf  (afg)  is 

O  )•  S  )w 

a  prefix.  Then,  for  1-1,2,  the  initiating  entry  to  e^  in  0A  (0*) 
is  preceded  therein  by  the  initiating  entries  to  exactly  k-1  other 
executions  of  d^  Cor.  4.3-1 

(3)  $(agf)  equals  $(a)(f>2®^t  in  which  <p^  is  the  k^**1  firing  of  d^ 

(2)+Def .  4.3-4 

The  prefix  A  of  Q  whose  length  is  the  length  of  $(agf)  has  as  its 
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reduction  $(agf)  [Lemma  7.2-2],  so  A  can  be  written  as  where  6  is 

a  prefix  of  2  and  is  the  k^**1  firing  of  dj^  in  2  [(3)+Def.  2.4-5].  Then 
6  is  the  prefix  of  2  whose  length  is  two  less  than  the  length  of  A,  so  the 
length  of  6  is  two  less  than  the  length  of  $(agf).  I.e.,  6  is  the  prefix 

of  2  whose  length  is  the  length  of  4>(a)  [(3)],  so  the  reduction  of  6  is 
$(a)  [Lena  7.2-2]. 

For  1*1,2,  there  are  In(/(d^))-l  input  entries  to  e^  in  a  [(1)+ 

Def.  4.2-6],  and  f  and  g  are  input  entries  to  e^  and  respectively 
[Defs.  4. 2-6+4. 2-5] ,  so  f  and  g  are  the  Initiating  entries  to  e^  and  e^, 
respectively,  in  afg  [(1)+Def.  4.2-6],  The  reasoning  of  the  above  para¬ 
graph  applies,  to  give  that  there  is  a  prefix  O'cp^cp^  of  2'  whose  reduction 
is  $(afg)  such  that  $(a)  is  the  reduction  of  e'  and  cpj  is  the  firing 

of  d^  in  2'.  Since  6'  and  6  have  the  same  reduction  $(a),  they  are  equal 
[Def.  2.4-5]. 

(4)  p  is  a  permutation  of  to  ■  r)(£,2)  [(2)+Daf.  4.3-5],  which  is  a 

computation  for  Int(P)  [Lemma  4.3-2] 

(5)  For  any  j  and  for  1*1,2,  the  value  of  EntCe^.J)  in  u  equals  the  value 

of  the  token  removed  from  d^'s  number- j  input  arc  at  d^'s  k^tli 
firing  in  Q  Alg.  4.3-1 

(6)  For  1*1,2,  all  In(/(d^>)  input  entries  to  e^  in  co  are  in  agf 

(l)+(2)+(4)-H)ef .  4.2-6 

(7)  Ent(e^,l)  and  Ent(e2>l)  are  in  the  same  access  history  in  agf  iff 

they  have  the  same  pointer  value  [Def.  5.1-4]  iff  Ent(e^,l)  and 
Ent(e2»^)  have  the  same  pointer  value  in  co  [(d)]  iff  *n<*  <pg 
remove  tokens  with  the  same  pointer  value  from  the  number-1  input 
arcs  of  d^  and  d2  in  2  [(5)] 
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(8)  There  are  entries  Entte^)  and  Ent(e2,2)  in  agf  and  their  values  are 

equal  iff  there  are  entries  Ent(e^,2)  and  Ent(e2>2)  in  co  and  their 
values  are  equal  [(6)]  iff  <p^  and  cp2  remove  tokens  of  equal  value 
from  the  number-2  input  arcs  of  d^  and  d2  in  2  [(5)] 

(9)  No  execution  initiates  between  and  e2  in  agf  Def.  4.2-6 

<p^  and  <p2  potentially  interfere  in  ffi  iff  they  have  equal  number-1  inputs 
and  either  q>2  is  an  Assign  firing  and  is  a  Fetch,  Assign,  or  Copy 
firing,  or  <p2  is  an  Update  or  Delete  firing  and  is  a  Copy,  First,  or 
Next  firing  or  a  Select,  Update,  or  Delete  firing  with  the  same  number-2 
input  as  <(>2  [Def.  3.1-2]  iff  EntCe^l)  follows  Ent(e2,l)  in  the  same 
access  history  in  agf,  with  no  intervening  entries  [(7)+(9)+Def .  5.1-4] 
and  either  e2  is  an  Assign  execution  and  e^  is  a  Fetch,  Assign,  or  Copy 
execution,  or  e2  is  an  Update  or  Delete  execution  and  e^  is  a  Copy,  First, 
or  Next  execution,  or  a  Select,  Update,  or  Delete  execution  with 
V(Ent(e1,2))  -  V(Ent(e2>2))  [(8)+Alg.  4.3-1]  iff  Ent^.l)  and  Ent(e2,l) 
are  in  the  same  access  history  in  agf  and  e^  is  in  R(e2>  in  agf  [(9)+ 

Def s.  5. 1-5-5. 1-8]. 

A 

Lemma  7.2-5  Let  and  <?2  be  any  two  equal  initial  modified  states  for 
the  same  program  P.  Let  8^  and  &2  be  two  firing  sequences  starting  in 
and  52  respectively  such  that 

(1)  for  each  actor  d  in  P,  there  are  the  same  number  of  firings  of  d 

in  both  and  &2> 

(2)  for  each  gate  d  in  P  and  each  k,  the  k**1  firings  of  d  in  8^  and  82 

remove  control  tokens  of  the  same  value,  and 
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(3)  for  any  two  actore  d  and  d’,  and  for  any  k,  there  is  a  k'  such  that 

if  the  kth  firings  of  d  in  2^  and  22  renove  tokens  from  output  arcs 
of  d',  then  those  firings  both  are  preceded  by  k'  firings  of  d'. 
Then  for  any  arc  in  P  which  holds  tokens  of  pointer  value  in  and 

^2 *^2*  e*t*ier  both  are  read  pointers  or  both  are  write  pointers. 

Proof: 

(4)  Every  token  which  appears  on  a  program  input  arc  has  a  read  pointer 

as  value  Def.  3.3-5 

(5)  Every  token  which  appears  on  a  number-1  output  arc  of  a  Copy  has  a 

write-pointer  value,  and  every  token  which  appears  on  the  nuober-2 
output  arc  of  a  Copy  or  the  number-1  output  arc  of  a  Select  has  a 
read-pointer  value  Def.  3.3-9 

•  A. 

(6)  Every  arc  can  hold  a  token  of  pointer  value  only  if  it  Is  a  program 

input  arc  or  an  output  arc  of  a  Copy,  Select,  or  pi  actor 

Defs.  3. 3-9+2. 2-5 

Prove  by  contradiction  that  for  every  pi  actor  d  in  P  and  every  integer 
k  >  0,  toe  k**  firing  of  d  in  2^  outputs  a  read  (write)  pointer  iff  the 
k**1  firing  of  d  in  2^  outputs  a  read  (write)  pointer.  Assume 

(7)  the  above  is  false 

(8)  There  is  a  prefix  6<p  of  2^  such  that  for  every  pi  actor  d'  and 

Integer  k'  such  that  there  are  no  more  than  k'  firings  of  d'  in  6, 
the  k' firing  of  d'  in  2^  outputs  a  read  (write)  pointer  iff  the 
k*  **  firing  of  d'  in  22  outputs  a  read  (write)  pointer,  and  tp  is  the 
kth  firing  of  pi  actor  d,  it  outputs  a  read  (write)  pointer  In 
and  the  kth  firing  of  d  in  22  does  not  (7) 
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By  (2) ,  d  is  a  gate  «•  <p  removes  a  true  control  token  iff  the  firing 
of  d  in  removes  a  true  control  token.  Hence, 

(9)  there  is  one  input  arc  b  of  d  such  that  a  token  is  copied  from  b  to 
d's  output  arcs  by  the  k**1  firing  of  d  in  both  8^^  and  82 
[Defs.  2. 1-5+2. 2-4] .  b  is  a  program  input  arc  or  an  output  arc  of 
a  Copy  or  Select  =*  the  kth  firings  of  d  in  8^  and  82  either  both 
output  read  pointers  or  both  output  write  pointers  [(4)+(5)],  so 
b  is  an  output  arc  of  a  pi  actor  d*  [(8)+(6)] 

(10)  The  tokens  output  by  <p  in  8^  ere  identical  to  those  output  by  the 

k'^1  firing  0f  a*,  vhere  there  are  exactly  k'  firings  of  d'  in  0 
[(9)+Def.  2.1-5],  so  there  are  exactly  k’  firings  of  d'  before  the 
k**1  firing  of  d  in  82  [  (9)+(3)  ] .  Hence  the  tokens  output  by  the 
kth  firing  of  d  in  S2  are  Identical  to  those  output  by  the  k,th 
firing  of  d*  in  82  [(9)+Def.  2.1-5]. 

The  tokens  output  by  <p  are  read  (write)  pointers  iff  the  tokens  output  by 
the  k**1  firing  of  d  in  a2  are  read  (write)  pointers  I(10)+(8)].  Since 
(7)  leads  to  this  contradiction  with  (8),  (7)  is  false;  l.e., 

(11)  for  every  pi  actor  d  and  integer  k  >  0,  the  k*"^1  firing  of  d  in  8^ 

outputs  a  read  (write)  pointer  iff  the  k**1  firing  of  d  in  S2 
outputs  a  read  (write)  pointer 

Letting  b  be  any  arc  which  holds  a  token  of  value  (p,R)  or  (p,W)  in  both 
^2*^2  and  ^1*^1’  k  is  an  output  arc  of  a  pi  actor  d  -*  the  token  on  b  in 
<?l*8i  was  output  by  the  k6*1  firing  of  d  in  8 , ,  where  k  is  the  exact  number 
of  firings  of  d  in  8^  [Def.  2.1-5]  »  there  are  exactly  k  firings  of  d  in 
22  •  the  token  on  b  in  S2*82  was  placed  there  by  the  k**1  firing  of 

d  in  82  [Def.  2.1-5].  Therefore,  the  token  on  b  in  S^*8^  Is  •  read 
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(write)  pointer  iff  the  token  on  b  In  e  reed  (write)  pointer 

l(6)+(4)+<5)+(ll>]. 

A 

Le—a  7.2-6  Given  any  program  P,  let  Q  be  any  halted  firing  sequence 
starting  In  any  Initial  Modified  state  5  for  P.  Let  any  prefix 

of  S  and  let  3  be  such  that  a  ■  If  Qcpj^  18  a  f irinS  sequence 

starting  In  5  and  5*0<p1<p 2  la  Identical  to  then  a*  *  Qcp^^  Is  a 

halted  firing  sequence  starting  In  S  and  rjCS.fi')  contains  the  sane  set  of 
entries  as  tj(5,2). 

Proof: 

Key  definitions:  Def.  2.3-1  -  firing  sequence  starting  In  a  state; 

Defs.  3. 3-9+3. 3-7+2. 1-5  -  modified  interpreter;  Alg.  4.3-1  -  a >(S,Q) 
first  prove  the  following  hypotheses  by  induction  on  the  lengths  of  the 
prefixes  A  of  3: 

A:  Ocp^q^A  is  a  firing  sequence  starting  In  5 

B:  S‘  is  Identical  to  S'  0<p2<PjA 

C:  co(S,  9<p^(pgA)  contains  the  same  set  of  entries  as  w(5,8<p2<pjA) 

Basis:  |a|  •  0. 

A  and  B  are  true  by  Leans  hypothesis. 

(1)  Let  d^  and  d2  be  the  actors  in  P  of  which  <p^  and  <p2  are  firings. 

Then  both  are  enabled  In  S’ 9 

If  either  is  a  gate.  Its  control  Input  arc  has  a  token  on  it  In  5*8,  and 
so  that  arc  Is  not  an  output  arc  of  the  other  actor  [(1)-H)efs.  3.3-6+ 
2.1-4].  If  d^  (d2)  is  a  gate,  then  the  control  token  input  by  ^  (<p2> 
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in  either  0cp^<p2  0T  ^2^1  is  tbe  to'cen  on  its  control  input  ere  in  5*6. 
Therefore , 

(2)  The  set  of  input  arcs  from  which  (<p^)  removes  tokens  is  the  same 

in  both  and  9<p2<p^.  those  arcs  have  tokens  on  them  in 

5* 6  [(1)-H)efs.  3. 3-6+2. 1-4 ] ,  so  none  of  those  arcs  is  an  output  arc 
of  either  ^  or  d2  [( l)4Defs.  3. 3-6+2. 1-4] . 

(3)  All  of  the  tokens  removed  by  <p^  (e^)  in  either  Otp^ip^  or  0<p2<p^  are  on 

the  arcs  from  which  they  are  removed  in  5*0  (2) 

(4)  Let  b  be  any  input  arc  of  d^  (<■  ,)  from  which  a  token  is  removed  by 

q>l  (<p2>  in  either  0<p^cp2  or  9<p2<p^.  Then  there  is  a  token  on  b  in 
5*0«p2  and  5*0  (5*0«p^  and  5*0)  (3) 

If  b  is  an  output  arc  of  actor  d,  then  there  are  the  same  number  of 
firings  of  d  in  6^  and  0<p2  as  in  0  [(2)],  so 

(5)  Source (b ,5, 0<pj)  ■  Source(b,5,0)  (Source(b,5,0<p2)  *  Source(b,5,0)) 

(4)+Lemma  7.1-3 

(6)  All  of  the  entries  in  co(5,0)  are  in  each  of  co(5, 0<p1«p2)  and  oo(5,0<p2<p^) 

(7)  There  is  an  entry  with  value  v  and  transfer  (s,  Dst(Ex(d,k) ,j))  in 

a>(5,0q>jq>2)  that  is  not  in  co(S»6)  iff  d  ■  d^,  q>^  is  the  k^  firing 
of  d^  in  0<p^(p2>  <p^  removes  a  token  of  value  v  from  b,  the  number-j 
input  arc  of  d^,  and  s  ■  Source(b,5,0) ,  or  d  -  d^,  q>2  is  the  ktb 
firing  of  d2  in  e^cp,,  <p2  removes  a  token  of  value  v  from  b,  d2's 
number-j  input  8rc,  and  s  ■  Source (b ,5,0<p^)  iff  d  ■  d^,  <p^  is  the 
ktb  firing  of  d^  in  0<p2<p2,  <p,  removes  a  token  of  value  v  from  b, 
the  number-j  input  arc  of  d^,  in  ftp,,®, ,  and  s  -  Source (b, 5,0<p2) 
t(2)+(3)+(5)],  or  d  ■  d2»  q>2  is  the  k**1  firing  of  d2  in  09^,  <P2 
removes  a  token  of  value  v  from  b,  the  number-j  input  arc  of  d2> 
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and  s  -  Source(b ,5,0)  [ (2)+(3)+(5) ]  iff  there  is  an  entry  with  value 
v  and  transfer  (s,  Dst(Ex(d,k)  ,j))  in  aCSfOtpjtpj)  which  is  not  in 
w(5,0) 

Therefore,  co(5,6q>^<p2)  contains  the  same  set  of  entries  as  co(5,6tp2<p^) 
l(6)+(7) 1 . 

Induction  step:  Asstme  that  A,  B,  and  C  are  true  for  prefix  4  of  S. 

0  <  |  A |  <  |H| ,  and  consider  prefix  Aip  of  S. 

(8)  is  a  firing  sequence  starting  in  5 

(9)  Let  d  be  the  actor  of  which  <p  is  a  firing.  Then  d  la  enabled  in 

5-e*p2« PjA  (8) 

(10)  Enabling  conditions  for  an  actor  are  a  function  solely  of  state 

Defs.  3. 3-6+2. 1-4 

(11)  S'eqjjipjA  is  identical  to  5*0q>2<P1A  lod.  hyp.  B 

d  is  enabled  in  [(8)+(10)+(9) ] ,  and  d  is  a  Copy  and  <p  -  (d,(p,n)) 

•  (p,n)  is  not  in  IT  in  5*0^2^^  [(8)+Oefs.  2. 3-1+2. 2-5]  •  (p,n)  is  not 

in  n  in  [(H)]  -  (p,n)  can  be  added  to  n  in  going  to  5*0< p^Atp 

[Def.  2.2-5].  Therefore,  is  a  firing  sequence  starting  in  5 

find.  hyp.  A+Def .  2.3-1]. 

The  state  after  a  state  transition  depends  only  on  the  state  before  the 
transition,  the  actor  chosen  to  fire,  and  if  that  is  a  Copy,  the  pair 
(p,n)  chosen  to  be  added  toll.  Therefore, 

(12)  *s  identical  to  5 •  O^cp j.  A<p 

(13)  If  d  is  a  gate,  then  <p  has  the  same  control  input  in  both 

and  0tp2<P]&p  (11) 

(14)  (o(5,0(p A)  is  a  prefix  of  wCS.OcpjVj&p)  and  coCff.Oip^A)  is  a  prefix 

of  o>(5,0<pj<p 2&p) 
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(15)  Let  b  be  any  arc  from  which  <p  removes  a  token  In  either  Gq^cp^Afp  or 

Then  there  is  a  token  on  b  in  both  S'Sq^cp^A  and  S'Scp^q^A. 
[(12)].  If  b  is  an  output  arc  of  an  actor,  then  there  are  the  same 
number  of  firings  of  that  actor  in  Qq^tp^A  *nd  Otpj^A*  so 
Source(b,5,9<p2<pjA)  ■  Source(b,S, Scp^^A)  [Lemma  7.1-3] 

(16)  There  is  an  entry  with  value  v  and  transfer  (s,  Dst(Ex(d,k) , j))  in 

co(5,0<pj(p-,A(f>)  which  is  not  in  co(S,  Gcp^q^A)  iff  <p  is  the  k^  firing 
of  d  in  6qyp7A<p,  it  removes  a  token  of  value  v  from  b,  the  number- j 
input  arc  of  d,  in  dcpj^Acp.  and  s  ■  Source (b ,S, ©ip^q^A)  iff  <P  is  the 
k**1  firing  of  d  in  dq^q^Atp*  it  removes  a  token  of  value  v  from  b, 
the  number-j  input  arc  of  d,  in  Qq^tp^  A<p  [(13)+(11)]  and  s  is 
Source(b,S', 9q>2<P1A)  [(15)]  iff  there  is  an  entry  with  value  v  and 
transfer  (s,  Dst(Ex(d,k) , j))  in  ^(S.&PjCPjAep)  which  is  not  in 
(o(S,6q>2<P1  A) 

Therefore,  co(5,  Gq^q^Atp)  contains  the  same  set  of  e-...‘iea  as  co(5,  Gqi^q^AqO 

[(14)+(16)].  Thus  it  is  proven  by  Induction  that 

(17a)  2'  is  a  firing  sequence  starting  in  S 

(17b)  S*2'  and  .9*2  are  identical  states 

(17c)  co(5,2')  contains  the  same  set  of  entries  as  co(5,2) 

Since  2  is  halted,  there  is  no  actor  enabled  in  S' 2  [Def.  2.3-1],  so  there 
is  no  actor  enabled  in  5’Q'  [(10)+(17b) ] ,  so  2'  is  a  halted  firing 
sequence  starting  in  S  [(17a)]. 

(18)  a o(5,2)  is  a  prefix  of  t)(5,2)  and  co(5,Q')  is  a  prefix  of  ^(5,2') 

Alg.  4.3-1 

Let  b  be  any  arc  which  holds  a  token  in  S' 2  or  S' 2'.  Then  b  holds  a  token 
in  both  5*2  and  5*2'  [(17b)].  If  b  is  an  output  arc  of  an  actor  d,  there 
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are  the  sane  nuaber  of  firings  of  d  in  S  ■  ffcp^cpjS  as  in  S'  ■  &<p^<p^St  so 
Source(b,5,&)  -  Source(b,S,2')  [Lemma  7.1-3] .  Therefore, 

(19)  there  is  an  entry  with  value  v  and  transfer  (s,  d)  in  r)(S,2')  which 

is  not  in  co (5,2')  iff  there  is  an  arc  b  which  holds  a  token  of  value 
v  in  S’G' ,  s  -  Source(b,S,Q') ,  and  d  is  a  certain  fixed  function 
of  b  [Alg.  4.3-1]  iff  there  is  an  arc  b  which  holds  a  token  of 
value  v  in  S-G  [(17b)],  e  •  Source(b ,S,G)  and  d  is  a  certain 
fixed  function  of  b  iff  there  is  an  entry  with  value  v  and  transfer 
(s,  d)  in  -n(&,&)  which  is  not  in  oo(5,Q)  [Alg.  4.3-1] 

Thus,  •n(5,2')  contains  the  same  set  of  entries  as  r](S,G)  [(18)+(19)]. 


A 
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